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Abstract. An overview of quantum computing and in particular the Hidden 
Subgroup Problem are presented from a mathematical viewpoint. Detailed 
proofs are supplied for many important results from the literature, and nota- 
tion is unified, making it easier to absorb the background necessary to begin 
research on the Hidden Subgroup Problem. Proofs are provided which give 
very concrete algorithms and bounds for the finite abelian case with little out- 
side references, and future directions are provided for the nonabelian case. 
This summary is current as of October 2004. 
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1. Introduction 

The main purpose of this paper is to give a self contained explanation of the 
Hidden Subgroup Problem in quantum computing. A second goal is to bring the 
interested reader to the forefront of research in the area, so that a wider audience can 
attack the problems. The final goal is to present this at a level accessible to graduate 
students in math, physics, and computer science. Prerequisites are some abstract 
algebra, linear algebra, and an understanding of (classical) computation. However 
almost any mathematically inclined reader should be able to learn something from 
this presentation. 

1.1. Importance. The importance of the Hidden Subgroup Problem (from now 
on labelled the HSP) is that it encompasses most of the quantum algorithms found 
so far that are exponentially faster than their classical counterparts. Research in 
this area is centered on extending the families of groups for which the HSP can be 
efficiently solved, which may improve other classically inefficient algorithms, such as 
determining graph isomorphism or finding the shortest vector in a lattice. Finally, 
there are many group theoretic algorithms that are more efficient on a quantum 
computer, such as finding the order of a finite group given a set of generators. 



1.2. History. In 1994, Shor JllJ], building on the work of Deutsch |$7| and Si- 



mon [118], found a quantum algorithm that could factor integers exponentially 
faster than any known classical method, and opened the floodgates on quantum 
computing research. Efficient integer factoring breaks the ubiquitous RSA cryp- 
tosystem. Shor also gave an algorithm solving the Discrete Log Problem (DLP), 
which is used in several other cryptosystems. Kitaev ]77|] noted that these algo- 
rithms as well as others fit in a framework of finding subgroup generators from 
a group using a function that "hides" the subgroup, and thus the Hidden Sub- 
group Problem was born. For more history, the book by Chuang and Neilsen 
|29[ contains a wealth of information, as well as the quantum physics archives at 



tittp : //arxiv . org/ archive/quant-ph 
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1.3. Notation. Here we fix some notation used throughout this paper. All logs 
are base 2 unless otherwise specified. C denotes the field of complex numbers. Z 
is the ring of integers, and for a positive integer N we let Zjv denote the ring of 
integers mod N. For each integer TV > let lun = cxp(27ri/iV), a principal N th 
root of unity. Quantum mechanics specific notation is in section || and appendix |c| 

1.4. Layout. The layout of this paper is as follows. Section 2 covers the necessary 
quantum mechanics and notation used therein. It also introduces a quantum com- 
puting model well suited to present the rest of the topics in this paper. Section 3 
explains the algorithm solving the abelian case of the HSP efficiently, describing in 
detail the mathematics making it work. Section 4 generalizes the examples from 
section 3 to give the a more general form of the HSP, suitable for any finite group. 
Section 5 covers recent results, and what is currently known about the HSP, as 
well as quantum algorithms for other group related problems. Section 6 concludes. 
Much of the background and details are included in numerous appendices, giv- 
ing details on topics such as the necessary background for the graph isomorphism 
reduction, generating groups from random samples, number theory results, etc. 

2. Quantum Computing Model 

2.1. The Rules and Math of Quantum Mechanics. Here we define the rules 
of quantum mechanics (from a mathematical perspective). Details can be seen in 
Appendix |c[ 

First some notation used in quantum mechanics. We define the following sym- 
bols: 

\ip) represents a column vector in some complex Hilbert space V, of finite dimen- 
sion for this paper. For this section, let this dimension be N. Quantum mechanics 
forces us to use an orthonormal basis for V, so we fix the orthonormal standard 
basis B = {|0), |1), . . . , \N — 1)}. Then denotes the conjugate transpose row 
vector, often viewed as the dual to \ip) with respect to B. For example, we compute 
as follows: 

If \ip) — X)i a il*)' then (ip\ = X)i a i(*li where * denotes complex conjugation. 
(*l b)i written equals 1 if i = j, otherwise equals 0. A basis for linear 

operators on V can be written as a C-linear combination of the operators 
which is the matrix with a 1 in the entry, and 0's elsewhere. Thus any linear 
operator A on V in the basis B can be written in the form A = J2i j a i,j K) 1 1 which 
is the matrix with the value a%j in the i,j entry, and acting on the left of a column 
vector \ip). (ip\A\<j)} is the inner product of tjj and A\(f>). Later the basis will often 
be indexed with elements from a group G, viewed as fixing an orthonormal basis 
and an injection mapping elements of G to this basis. 

2.1.1. The Postulates of Quantum Mechanics. Now on to the physical content of 
quantum mechanics, abstracted to a mathematical formalism. The content of quan- 
tum mechanics can be summarized by 4 postulates, which we take as the definition 
of quantum mechanics. They are: 1 

Quantum Mechanics Postulate 1: State Space: Associated to an isolated 
physical system is a complex vector space with inner product (a Hilbert space) 
known as the state space of the system. The system is completely described by its 
state vector, which is a unit vector in the system's state space. 



Postulates are taken verbatim from Ncilsen and Chuang 
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Quantum Mechanics Postulate 2: State Evolution: The evolution of a 
closed quantum system is described by a unitary transformation 2 . That is, the 
state of a system at time t\ is related to the state \ip') at time ti by a unitary 
operator U which depends only on the times t\ and ti, 

(1) \i>) = uW) 

Quantum Mechanics Postulate 3: State Measurement: Quantum mea- 
surements are described by a collection {M m } of measurement operators. These 
are operators acting on the state space of a system being measured. The index m 
refers to the measurement outcomes that may occur in the experiment. If the state 
of the system is \tjj) immediately before the measurement, then the probability that 
result m occurs is given by 

(2) p(m) = (ip\MlM m \i,) 
and the state of the system after the measurement is 

(3) MrM 

The measurement operators satisfy the completeness equation 

(4) £A&M m = I 

n 1 

Quantum Mechanics Postulate 4: State Combining: The state space 
of a composite physical system is the tensor product of the state spaces of the 
component systems. Moreover, if we have systems numbered 1 through n, and 
system number j is prepared in the state then the joint state of the total 

system is ® \tp 2 ) ® ■ ■ ■ |"0n)- 

We will explain briefly how these postulates are used in practice for quantum 
computing. 

2.1.2. Qubits and Operators. Analogous to the bit being the basic block in classical 
computing, the qubit is the basic building block in quantum computing. Formally 
we define 



Definition 2.1 (Qubit). A qubit (or quantum-bit) is a unit vector in C 2 . We fix 

) and I 1 ) = ( 1 



an orthonormal basis of column vectors denoted as |0) = ( ^ ] and |1) 



corresponding to classical bits and 1. 

Definition 2.2 (State vector). The state of a quantum system is a (column) vector 
in some vector space, written |?/>). 

By postulate 4, we can combine single qubits as follows. 



2 Recall a unitary operator U satisfies UU^ = I = U^U where f is conjugate transpose. In 
particular, unitary operators are invertible, implying quantum computation is reversible, which 
differs significantly from classical computing. 
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<9) = 1 08 



2.1.3. Qubits Galore. Similar to concatenating n classical bits to "bitstrings" , we 
concatenate qubits to get larger systems. Two qubits form a space spanned by the 
four vectors 

(5) |0)®|0), |0)<g>|l), |1)®|0), and|l)®|l) 

where the tensor product is the usual vector space tensor. See Appendix ^ for 
details. Shorthand for the above expressions is 

(6) 1 00), |01), 1 10), and 1 11) 

Now we can check the second basis element (dictionary ordering) 

(7) |01) =|0>®|1) 

(8) = ® (?) 

M 
i 

o 

and we get the second usual basis element of C 4 . This works in general; that is, the 
vector corresponding to the state |n) where n is a binary number, is the (n + 1) 
standard basis element. We frequently use decimal shorthand: 1 32) is the 33rd 
standard basis vector in some space which would be clear from context. 

Thus the the state of an n-qubit system is a unit vector in C 2 . Note that the 
state of n classical bits is described by n elements each either or 1, while the state 
of n qubits requires 2™ complex numbers to describe. Thus it seems qubits contain 
much more "information" than classical bits. Unfortunately we cannot retrieve all 
this "information" from the state; we are limited by quantum mechanics due to the 
fact that measuring the state destroys information. 

2.1.4. Measurement. The final operation we need to understand about qubits is 
measurement, the process of getting information out of a quantum state. There 
are several equivalent ways to think about it. We will cover the easiest to un- 
derstand, intuitively and mathematically. However, to gain precise control over 
measurements, often one has to resort to an equivalent, yet more complicated, 
measurement framework 3 , which we do not discuss here. See Nielsen and Chuang 
H Ch. 2]. 

We will do our measurements in the computational basis {|0), |1), . . . , |2 n — 1)} 
over an rt-qubit system. Suppose we have the state \ip) = )~^_ 1 dj\j), which is a 
unit vector in C 2 . Measuring in the computational basis has the following effect: 
it returns the state \j) with probability pj = |aj| 2 , and after the measurement, the 
state becomes \ip') = \j). Thus measuring "collapses" the waveform, returning a 
state with probability the square of its coefficient (amplitude), and the resulting 
state is the one returned by the measurement. Thus from a given state, we return 
one answer depending on the basis we measure, and destroy all other information 
about the state. 

Finally we note that cascaded measurements (one after the other) can always be 
replaced by a single measurement. 



3 This is the "Positive Operator- Valued Measure" (POVM) formalism. 
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2.1.5. The No Cloning Theorem. As an example of the using above postulates, we 
prove an important and surprising theorem: 

Theorem 2.3. The No Cloning Theorem. It is impossible to build a machine 
that can clone any given quantum state. 

This is in stark contrast to the classical case, where we copy information all the 
time. It is the tip of the iceberg for the differences between quantum and classical 
computing. 

Proof. Suppose we have a machine with two slots: A for the quantum state \tp) 
to be cloned, and B in some fixed initial state \s), and the machine makes a copy 
of the quantum state A. By the rules of quantum mechanics, the evolution U is 
unitary, so we have 

(10) \i>) <g> \s) 2+ |V) ® \tp) 

Now suppose we have two states we wish to clone, \ip) and \ip), giving 

u{\i>)®\a))= m®\ip) 

U(\ip)®\s})= \(p)®\(p) 
Taking the inner product of these two equations, and using WU = I: 

{(ip\®(s\)tfU{\^)®\s)) = ® (|V) ® |V)) 
{<p\i>){s\s) = (*#)<¥#} 

<¥#} = «*#» 2 

This has solutions if and only if ((p\i/>) is or 1, so cloning cannot be done for 
general states. 4 □ 

2.2. Efficient Quantum Computation. 

2.2.1. Quantum Computing. Quantum sates are transformed by applying unitary 
operators to the state. So where classical computing can be viewed as applying 
transforms to n-bit systems, quantum computation proceeds by constructing an 
n-qubit machine, applying unitary operators to the state until some desired state is 
found, and then measuring the result. This paper will avoid the physical construc- 
tion of such machines, and focus on the unitary transformations that seem likely to 
be physically realizable, and the computational outcomes of such systems. Again, 
for an introduction to the physical issues, see |^9[ Ch. 7] and the references therein. 

2.2.2. Circuit Model. Similar to being able to construct any classical circuit with 
NAND gates, there are finite 5 sets of quantum gates that allow the construction 
of any unitary operator to a desired precision. Kitaev f7cfl shows that these ap- 
proximations can be done with minimal overhead, allowing quantum computation 
to be modelled with simple "quantum circuits" . A final note on quantum circuits 
is that Deutsch's Quantum Turing Machine |3^| and the circuit model used more 



recently were shown equivalent by Yao |128|. We will use a few quantum gates that 



operate on 1,2, or 3 qubits at a time, defined later. The intuitive description is that 



4 There is a lot of research on precisely what can be cloned, how to approximate cloning, and 
what other limitations there are to duplicating quantum states. 
^There are many ways to choose them. See for example [^j. 
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quantum computations are built of quantum circuits, which are composed of quan- 
tum gates, and each quantum gate operates on only a few qubits at a time. This 
statement mirrors the classical one with "quantum" removed and qubits replaced 
with bits. 

2.2.3. Quantum Circuit Size. In loose terms, efficient classical computations are 
done on small circuits, in the sense that as the problem size grows, the size of 
the circuit required to solve the problem grows at a certain rate, usually bounded 
polynomially in the size of the problem. We want to make this precise in the 
quantum context. 

The following is just a mathematically precise way to say our "elementary op- 
erations" only operate on a few qubits at a time, which is desirable since it makes 
quantum computation physically plausible. Some definitions: 

Definition 2.4. Given a 2™ -dimensional vector space V with basis B, and a 2 m x 2 m 
matrix U with m < n, an expansion of U relative to B is any matrix of the 
form G(U (S> l2n-m)G where G permutes the basis, and Ik is the k x k identity 
matrix. 

This just says each expansion of U operates on m of the n qubits in a ra-qubit 
machine. In general m will be small, n will vary, and we will build computations 
by composing these operators. 

Definition 2.5. Given a 2 n -dimensional vector space V , an orthonormal basis B of 
V , and a finite set U = {U\, 17%, ■ ■ ■ Uk} of unitary matrices of dimensions dividing 
2 n , then the set of elementary operations relative to (B,U) consists of all 
expansions of the Ui relative to B. 

This just allows us to consider all operations on any subset of n qubits generated 
from our initial set of "elementary operations" . Note U unitary and B orthonormal 
implies expansions of U relative to B are unitary. 

For our use V will be the state space of a quantum system, clear from context, 
and B will be the standard orthonormal basis of V. We fix a specific generating set 
U T = {H, CNOT, CCNOT, P} relative to such a fixed basis to be the matrices 

(11) H = — ( j ^ J the Hadamard matrix 



(12) CNOT 



(1 o\ 

10 

1 

\0 1 0/ 



the controlled NOT 



(13) CCNOT = {ciij) with. Oii = l,i = 1, 6, = 078 = 1, 

the rest = 0, the controlled controlled NOT 

/ e 4 q \ 3 

(14) P = I o the phase matrix, where cos6 = —. 

V e l 2 / 5 

For any n > 2 and using the standard basis B defined earlier, the elementary 
operations from this set of 4 matrices generates a group dense in U(2 n ), the space 
of legal quantum operations on an n-qubit machine 6 . So from now on one can 



^From chapter 4 exercises in |29| 
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assume these 4 matrices and associated elementary operations are the legal set of 
elementary operations on any n-qubit machine. The definitive paper on elementary 
gates for quantum computing is 

Definition 2.6. A quantum circuit is a unitary matrix built from composing 
elementary operations from IA T 

Now mathematically, quantum computing becomes the following. We have an 
initial state |0) in the n-qubit space C 2 . Applying unitary transformations that 
are products of the elementary transformations, we want to obtain a quantum 
state (unit vector \ip}) that, when measured, has a high probability of returning 
some useful answer. We want to know how "efficient" such transformation are. We 
restrict legal quantum operations to those obtained from the elementary operations 
from some finite set, such as U T . 

Definition 2.7. The size of a quantum circuit will be the minimal number of 
elementary operations composed to obtain it. 

This gives us a way to measure the complexity of a quantum operation. From 
here on we can assume all quantum operation complexities are measured against 
our set of elementary operations coming from 1A T and a corresponding V and B 
taken from context. 

Often it is possible to rearrange the elementary operations and obtain the same 
quantum circuit. For example if adjacent operations affect disjoint sets of qubits, 
these two operations can be swapped obtaining the same circuit (the matrices com- 
mute). Similar to parallelizing classical circuits, this reordering allows us to parti- 
tion the sequence of elementary operations into ordered lists of operations, where 
within each list a qubit is affected by at most one operation. This leads to the 
notion of depth: 

Definition 2.8. The depth of a quantum circuit is the minimal length of a par- 
tition of the ordered elementary operations composing the circuit into ordered lists 
where each qubit is affected at most once per list. 

As a result, we always have depth<size. 

To parallel the quantum to classical terminology, we sometimes call a state (or 
part of a state) a quantum register. Physically a quantum state is basically con- 
structed using n particles which can be either of two states or 1 when measured. 
If we take a subset of these particles, and operate on them, it is convenient to call 
this subset a register. 

Definition 2.9. A register in a quantum computer is a subset of the total set of 
qubits. We often write \a)\b) to denote that the first register is in state \a) and the 
second in state \b) , the number of qubits in each set being understood from context. 

2.2.4. Efficient Quantum Computation. Most of this paper is concerned with ef- 
ficient quantum computation. Sometimes this has two components: needing an 
efficient quantum process, and an efficient classical computing method to post- 
process the data output from the quantum process to obtain the desired answer. 
We will see these two are (often) separate issues. 

Given a problem to solve on a quantum computer, we need a way to represent 
the problem as a quantum state, a unitary operation U built from elementary 
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operations to convert this quantum state to a final state, and a way to process the 
final state to obtain the desired answer. Although a precise definition of "efficient" 
takes us too far afield, we will make it precise in special cases throughout this 
paper. The general idea is that as the "size" of the input grows (the number of 
qubits required to represent the problem, say), the size of the necessary quantum 
operator U should grow polynomially in the size of the input. 

An example: suppose we want to determine the order of finite abelian groups 
given a generating set for each one. Given a group \G\, we can represent each 
element using roughly log \G\ qubits. To call a quantum algorithm efficient for this 
problem would mean the size of the quantum circuit computing the order of G 
should be of size polynomial in log |G|, as G varies throughout the family of finite 
abelian groups. 

As a final technical point, we require what is called a "uniform class of algo- 
rithms," meaning that, for a problem of size n, there is a Turing machine that 
given n, can produce the circuit description in number of steps equal to a polyno- 
mial in n. This ensures that we can (in theory) construct an explicit machine to 
solve each problem in time polynomial in the size of the problem. 

For more information on quantum complexity, see jis], . 

2.2.5. A Note on Probabilistic Algorithms. Quantum computers are probabilistic, 
meaning that algorithms tend to be of the form "Problem A is solved with probabil- 
ity 80%." For those used to thinking that algorithms solve problems with certainty 
(such as algorithms encountered in a first algorithms class), note that probabilistic 
algorithms suffice in practice. We just run the experiment a few times, and take 
the majority result. This returns the correct answer with probability exponentially 
close to 1 in the number of trials. Precisely we use the following theorem: 

Theorem 2.10 (The Chernoff Bound). Suppose X\, X 2 , ■ ■ . , X n are independent 
and identically distributed random variables, each taking the value 1 with probability 
1/2 + e and with probability 1/2 — e. Then 



Thus the majority is wrong very rarely. For example, we will make most algo- 
rithms succeed with probability 3/4, so our e = 1/4. Although it sounds like a lot, 
taking 400 repetitions of the algorithm causes our error to drop below 10~ 20 , at 
which point it is more likely our computer fails than the algorithm fails. And since 
the algorithms we are considering are usually exponentially faster than classical 
ones, there is still a net gain in performance. If we do 1000 runs, our error drops 
below 10~ 55 , at which point it is probably more likely you'll get hit by lightning 
while reading this sentence than the algorithm itself will fail. For completeness, 
here is a proof of the Chernoff Bound. 

Proof. Consider a sequence (x\, x%, ■ ■ ■ , x n ) containing at most n/2 ones. The prob- 
ability of such a sequence is maximized when it contains [n/2\ ones, so 



(15) 




(16) 



p(X 1 = X 1 ,X 2 =X2,...,X n = X n ) < 




(17) 



(1 -4e 2 )t 
2™ 
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There can be at most 2 n such sequences, so 

(18) p(±X i <^<2^^}l = (l-^) 
From calculus, 1 — x < exp(— x), so 

(19) p(X>^?) ^ e " 4eV2 



□ 



3. The Abelian Hidden Subgroup Problem 

We will detail the Hidden Subgroup Problem (HSP), starting with some illustra- 
tive and historically earlier examples, before covering the most general cases and 
research problems. The simplest groups considered are the finite cyclic groups, fol- 
lowed by finite abelian groups. Kitaev |77j] examines a similar problem over finitely 
generated abelian groups, but we will not cover that here. The finite abelian case 



was first used to spectacular effect by Shor [ 114 1 and Simon [116]. The HSP for 
finite nonabelian groups is currently researched for the reasons given in sections ^ 
and H 

Related to the HSP over finite groups is the Abelian Stabilizer Problem, in 
Kitaev @. 

3.1. Definition of the Hidden Subgroup Problem. In order to set the stage 
for the rest of the paper, we make a general definition of the Hidden Subgroup 
Problem, which we will abbreviate HSP for the rest of this paper, and then attempt 
to determine for which groups G and subgroups H we can solve the HSP efficiently 
We will also discuss partial results on groups for which efficient HSP algorithms are 
not known. 

Definition 3.1 (Separates cosets). Given a group G, a subgroup H < G, and a 
set X , we say a function f : G — > X separates cosets of H if for all g\, gi G G, 
f{gi) = K92) if and only if g\H = g 2 H. 

Definition 3.2 (The Hidden Subgroup Problem). Let G be a group, X a finite set, 
and f : G — > X a function such that there exists a subgroup H < G for which f 
separates cosets of H . Using information gained from evaluations of f , determine 
a generating set for H . 

For any finite group G, a classical algorithm can call a routine evaluating f(g) 
once for each g <E G, and thus determine H with |G| function calls. A central 
challenge of quantum computing is to reduce this naive 0(|G|) time algorithm 
to 0(poly(log |G|)) time (including oracle calls and any needed classical post- 
processing time). This can be done for many groups, which gives the exponential 
speedup found in most quantum algorithms. 

We assume an efficient encoding of G and X to basis states of our quantum 
computer. We also assume a quantum "black-box" that operates in unit time for 
performing the unitary transform Uf\g)\x) — \g)\x © f(g)), for g £ G, x £ X, and 
© bitwise addition on the state indices. 
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3.2. The Fast Fourier Transform. The Fast Fourier Transform (FFT) of Cooley 
and Tukey reduced the cost of doing Fourier transforms from the naive 0(n 2 ) 
down to O(nlogn), allowing a large class of problems to be attacked by computers. 
Mikhail Atallah 7 remarked the FFT is the most important algorithm in computer 
science. The success of the FFT is that so many other problems can be reduced 
to a Fourier transform, from multiplication of numbers and polynomials to image 
processing to sound analysis to correlation and convolution 8 . More references are 
Beth|lj|, Karpovsky]7^], and Maslen and Rockmore j93|. 

Most, if not all, quantum algorithms that are exponentially faster than their 
classical counterparts rely on a quantum Fourier transform (QFT), and much of 
the rest of this document deals with the QFT. For more information beyond this 
paper on the QFT see Ekert and Jozsa[[l2|, Hales and Hallgren]5(|, and Jozsa|]68|. 

Just as the FFT turned out to be a big breakthrough in classical computing, 
exploiting the QFT so far is the central theme in quantum algorithms. The main 
reason quantum algorithms arc exponentially faster is the QFT can be done expo- 
nentially faster than the classical FFT. However there are limitations due to the 
probabilistic nature of quantum states. 



3.3. The Basic Example. Fix an integer N > 1. Let X be a finite set, and let 
G = (Zjv, +) be the additive group of integers mod N . Suppose we have a function 
(set map) / : G — > X such that there is a subgroup H = (d) of G, such that / 
is constant on H and distinct on cosets of H , that is, / separates cosets of H. 
Let M = \H\. We assume we have a quantum machine 9 capable of computing the 
unitary transform on two registers / : \x)\y) — ► \x)\f(x)®y), where © is (qu)bitwise 
addition 10 . We do not assume we know M or d or H; we only know G and have 
a machine computing /. We want to determine a generating set for H, calling the 
"black-box" function / as few times as possible. For now we ignore the size of the 
quantum circuit and focus on the math making the whole process work. Later we 
will deal with efficiency. 

Definition 3.3 (Quantum Fourier Transform (QFT)). The quantum Fourier trans- 
form Fn is the operator on a register with n > log N qubits given by 

N-l 

(20) f n = — J2 ^-\m\ 

Note later we will define the QFT over other groups, so this one is actually the 
cyclic QFT. 

The ^= factor is required to make this a unitary transformation 11 , so it is a 
valid quantum transformation. Map the group, which we view as integers added 
modiV, into the basis of the quantum state, that is, G = {|0), |1), . . . , \N — 1)} and 



^Private comment. 

8 Lomont | p7| has shown that there can be no quantum correlation or convolution algorithms 
that parallel the quantum Fourier transform. 

^Recall | as) | j/) merely means \x) ® \y) and is used as shorthand. 
10 Check this is unitary, thus an allowable quantum operation. 
11 Homework! 
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H = {\Q), \d), 1 2d), ...,\(M- l)d)}. Compute on two registers: 



N-l 

(21) |o) |0) ^Eli)l°) 

3=0 
JV-1 

(22) ^* ^EU>™> 



3=0 

Measuring the second register to obtain some value f(jo) collapses the state, leaving 
only those values in the first register that have f(jo) in the second register, namely 
the coset H + jo. This is where we needed that / separates cosets of H. This 
"entanglement" is not present in classical computation, and seems to be one source 
of the increased computational power of quantum computing, another source being 
the ability to do computations on 2™ state coefficients in parallel by manipulating 
only n qubits. We now drop the second register which remains \f(Jo))- 

(23) -j= + 

^ heH 

M-l 

(24) = -^^lio + sd) 



M 

s— 



N-l 



(25) 1 1 « 

N-l M-l 



1 X > 27Tij Q k 

(26) ^Y.—M^e 



Using = M, evaluate the geometric series 

M-l A/— 

(27) £ e -^ = £ 



(28) 



M-l A/-1 

if M | fc 
M if M I fc 



So in expression |26|, only those values of k that are multiples of M remain, simpli- 
fying to the superposition 

(29) = -^e^^tM) 

^ d t=o 

Now measuring at this point gives a multiple of M in {0, M, . . . , (d — 1)M} with 
uniform probability. All that remains is to repeat this to get several multiples of 
M, and to take the GCD to obtain M with high probability. Computing the GCD 
with the Euclidean algorithm 12 has complexity 0(log 2 \N\), where log ]JV| is the 
number of digits in N. 

To estimate how many trials we need, suppose we have obtained k multiples of 
M, say the (possibly repeated) multiples t\, . . . , tk G T = {0, 1, . . . , d— 1}. We want 
to estimate the probability that gcd(ii, t2, ■ ■ ■ , tk) — 1, which would guarantee we 



12 This is the oldest known algorithm 1791 
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would obtain the true value of M, and hence determine H properly. By lemma E.2 
in appendix ||, 



1 x k/2 



prob(gcd(ti ) t 2 ,... ) t fc ) = l)>l - [J} 

Thus a few runs of the algorithm determines H with high probability, for any 
size N and d. To understand the complete cost of the algorithm, we need the 



computational cost of the QFT, which is shown next in section 3.4, Then we show 



how these pieces can be used to find hidden subgroups in any finite abelian group 



in section 3.5, and finally in section p.6| we show some applications. 

Above we assume infinitely precise values in the operations making the QFT. 
Since this is not physically reasonable, work has been done to cover the case of slight 
errors in the precision of the computations. Kitaev |7?fl and the error correction 
methods of Calderbank and Shor |27| are good places to start, and show that it is 
still possible to sample multiples of M with high probability even with errors in the 
QFT, so the process works. 

3.4. Computing the Fourier Transform on Zjy Efficiently. In this section 
we want to show how to compute the quantum Fourier transform Fn on the cyclic 
group Z^r efficiently, or at least approximate it to as high a precision as necessary. 
We will do this in two steps: first we do it for the case N = 2", and then use this in 
the second step to do it for general N. Fjv will be used to construct HSP algorithms 
for general finite abelian groups. We make the next defin itio n for general groups, 
but reserve the more general QFT definition until section [l.3| . 

Definition 3.4. A family of quantum circuits {Ui} computing the quantum Fourier 
transform over a family of finite groups {G;} is called efficient if Ui has size 
polynomial in log |Gj| for all i. 

Efficient quantum circuits for the Fourier transform over Zjy are well studied. 



Kitaev |77[ gives an approximate method. Mosca and Zalka [100 use "amplitude 
amplification" |25J to give an exact method, but claim it is unlikely to be of practical 
use. Mosca's |9q| thesis and Hales' thesis |55| both contain circuit descriptions. 
Hales and Hallgrcn |3?J give the algorithm used in appendix [a| for the general case. 
For practical implementations of Shor's algorithm the "semiclassical" version given 
by Griffiths and Niu |32| would probably be the best known choice. Cleve and 
Watrous |33|| have given parallel algorithms, showing even more speed increases. 



Shor [114] did the cyclic case for "smooth" values of N, and Coppersmith [|35| 



gave an efficient algorithm for the case N = 2™ as well as an approximate version. 



Brassard and H0yer |23 show how to solve Simon's problem, and have a useful 
framework for analyzing the general finite abelian HSP. 

It has been said |59| that "The efficient algorithm for the abelian HSP is folklore." 
This section attempts to clear that up with precision. 

3.4.1. Reduction to Odd Order and 2™ Order. As mentioned in Mosca's thesis |)8| 
Appendix A. 4], it is a fact that the Fourier transform Fn over a composite N = AB, 
with (A, B) = 1 , can be computed efficiently from the efficient Fourier transforms 
over A and B. We show this briefly. 

We assume (A, B) = 1 , and we have efficient QFT algorithms for Fa and Fb ■ 

Let C/b be the unitary transform \x mod A) — \xB mod A), and similarly \y mod 
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B) — \yA mod B). Both Ua and £/b are efficiently computable, since they are 
just multiplication, followed by a remainder operation. 

The main idea comes from the ring isomorphism Zjy = 1a x 2g, given in one 
direction by j — > (j mod A, j mod i?), and in the other direction by (ji, J2) — ► 
jxBB' 1 + j 2 AA~ 1 , where AA^ 1 = 1 mod 5 and BB^ 1 = 1 mod A. These 
statements required (A, B) = 1. With this notation it is instructive to check 



(30) 



F N = (U B <8> C/a) (JU <8> F fl ) 



This reduces the general QFT over Zjv for general N to the cases N = 2™ and 
iV odd. Finding QFT algorithms with time complexity of O(polylogiV) for each 
case thus results in such an algorithm for any N, since Ua and Ub are efficient. 

Thus for our purposes it is enough to show how to compute Fm efficiently for N 
a power of two and for N odd. 



3.4.2. The Case N = 2". We start with the easiest case: N = 2". We show an 
explicit construction of the Fourier transform Fff, where N = 2™. This presentation 
follows |p9| , Ch. 5] , which in turn is adapted from sources mentioned in their book. 

We use the notation from section 3.3, specialized to the case TV = 2™. We 
write the integer j in binary as j = ji2 n ~~ 1 + j2% n ~ 2 + ■ • • + j n 2°, or in shorthand, 
as j = j\h ■ --jn- We also adopt the notation O.jiji-i . . . j m = ji/2 + ji+i/4 + 
■•■ + im/2 m_ • Note the Fourier 13 operator Fn sends a basis element \j) to 
^-<k=o w iv 1^)- The inverse transform has ujJj 1 instead of Wjy Then we can 
derive a formula giving an efficient way to compute the Fourier transform: 



(31) F N \j) = 



(32) 



(33) 



(34) 



2™-l 

E< 

k=0 
1 



■\k) 



EE-E 



fe 1= fe 2 =0 

1 1 



fc„=0 
1 



fe 1= fe 2 =0 
1 

E 1 

i=i Lfci=o 



=0 ;=i 



t 2irijki2 



\k 1 k 2 



10) 



27rij2- 



(|0) + e 2 "°^|l)) (|0) + e 2 "0-J»-iJ»|l)) . . . (|0) + e 2ni0 -^ 2 -^\l)) 



(35) 
(36) 



where in the last step we used exp (27rij'2 _i ) = exp (27rijoji . . . j n -i-jn-i+i ■ ■ -jn) — 
cxp (27ri0.jVi-i+i • • - jn)- Using this expression, we exhibit a quantum circuit (uni- 
tary operator) using 0((log N) 2 ) elementary operations that transforms the state 
I j) into the one shown in equation |36[ 



13 Note that the Fourier coefficients can be viewed as group homomorphisms uj^ 
taking a —> . This viewpoint generalizes well. 



Zjv -> C*, 
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We need two types of unitary 14 operations, and iijj, , where a and b index 
the qubits in the quantum machine, as follows 15 : Let — -j= (\ be the 

standard Hadamard operator, applied to qubit a, and let R^' b ^ be the operator on 
qubits a and b given by 

/l \ 

„(o,6) 10 
it 



1 

\0 u 2 kj 



where lon — e 2 ^ is the standard primitive N th root of unity. Rj^' b ' has the effect of 
multiplying the phase of the |1) component of qubit b by w 2 t if and only if qubit a is 
|1), and is called a controlled phase change. For example, looking at the two-qubit 
state, 

(37) (a|0)+/3|l» |1>^ (a|0)+/3 e 2 -/ 25 |l))|l) 

Note each and R^""^ is a local interaction on the quantum state, so we will 
count the number of them needed to implement a Fourier transform. 

Apply to the state |jij 2 ■ ■ -jn) the operator i?!™' 1 ^™" 1 ' 1 ' . . . Rf^H^. We 
have 

(38) \hh ■■■Jn) ^ ^= (|0) + e 2 -°^|l}) \j 2 j 3 ■ -.Jn) 

(39) ^— * -^(|0) + e 2 - -^|l))|j 2 i3...i„) 
(40) 

(41) ^ ^(|0} + e 2 - ^--^|l})|i 2 j 3 ...i n ) 

This required n local operations. 

Apply to the state \j2j3 ■ ■ - jn) the operator Rn B^_i' ■ ■ ■ i? 2 3 ' 2 ^ H^ 2 \ which 
changes only the second qubit, resulting similarly in 

(42) ± (|0) + e ™^-^|i}) _L (| ) + e W...;„ ^ . . _ jn) 

which required n—1 operations . Repeating this process uses 1 + 2 + • • ■ + n — "("+ 1 ) 
local operations and results in the state 

(|0) +e 2«°JiJ2-J»|l)) (|0) +e 27rl0 ^--'"|l)) ... (|0) +e 2m0 -J"|l)) 

(43) 7n 

Noting this is similar to equation |36|, we finish the Fourier transform by reversing 
the order of the qubits with approximately [§J unitary qubit swaps. Thus the total 
number of operations, each affecting at most 2 qubits, is 0(n 2 ) = (9(log 2 N). We 
get an exact Fn transform with this method. 



2 



1 A careful reader should check these are unitary. 

15 Note Chuang and Nielsen in denote R^ as a single qubit operator, ours is what they 
would call a controlled R^. 
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Most discussions avoid the following point. Notice as N grows, so the number 
of basic operations Rk grows as log N, and this seems like cheating. If for each 
N = 2" we use only H and R n , we may construct i? m , < m < n as (R n )^ n ~ m \ 
thus upping the complexity to 0(log 3 N), which seems more fair from a complexity 



standpoint. Also, the H i - a > were in list of elementary operations from section 2.2 



but the R k a ' b ^ were not. We remark they can be approximated in a manner leaving 
the overall QFT circuit efficient. 

So this shows how to get an exact transform in 0(log 2 N) or (9(log 3 N) opera- 
tions, depending on one's viewpoint. Since physical realizations will have error, we 
would be fine just approximating the QFT, a viewpoint detailed in Coppersmith 



35 1, where he shows how to approximate the transform within any e > in time 
0(log AT (log log N + log 1/e)). See appendix |A| for more information on this result. 

3.4.3. The Case N Odd. We use the algorithm over powers of 2 to get one for an 
odd N. The details of the proof are lengthy, and are left to Appendix [A| The main 
result however gives 

Theorem [A.17| . Given an odd integer N > 13, and any \/2 > e > 0. Then F N 
can be computed with error bounded by e using at most 12.53 + 3 log qubits. 
The algorithm has operation complexity 



(44) O log log log h log 1/e 




The induced probability distributions T> v from the output and T> from Fn\u) (g> 
satisfy 

(45) \V V -V\<2e + e 2 

This says we can approximate the QFT very well. For odd N < 13 we can also 
design circuits using the methods in the proof. It is not currently known how to 
construct an exact QFT for odd cyclic groups, so this is as good as it (currently) 
gets. 



3.4.4. Final result: the Cyclic HSP Algorithm. Combining sections 3.4.2 and |3.4.3 



with the reasoning in section 3.3, we end up with the cyclic HSP algorithm: 
The Hidden Subgroup Algorithm, Cyclic Abelian Case 

Given: The group G = Zjv for a positive integer N, and a quantum black- 
box that evaluates a function / : |x)|y) — > |x)|/(x) © y), which we assume 
requires constant time 16 . 
Promise: / is constant on a subgroup H = (d) of G, and is distinct on cosets 
of H. 

Output: The integer d, in time 0(log 2 N) with probability at least |, and 
using at most 0(poly(log N)) qubits. 

We proceed as follows 

(1) Do the following steps for 8 trials, obtaining samples ti,t%, ...,t%. 

(a) On the initial state |0)|0) apply the quantum Fourier transform Fn 
(as earlier), with an approximation error of at most e = 0.01. 



16 Even if the time to compute / is not constant, if / can be computed efficiently, the overall 
algorithm is still efficient since / is called only a few times. 
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(b) Apply / in constant time. 

(c) Sample the registers in constant time, obtaining tj, a multiple of M = 
\H\. 

(2) Compute M = gcA{t\,t-z, ...,t%) using the Euclidean algorithm 17 in time 
0(log 2 N). 

(3) Output the answer d = N/M . 

The probability of any one run returning a valid sample is at least 1 — (2e + e 2 ). 
We fix e = 0.01. We require 8 good samples, at which point the probability of 
them returning the correct GCD is at least 1 — (1/2) 4 , so the probability of success 
is then (1 - (.0201)) 8 (15/16) > 3/4. Oddly enough, the Euclidean Algorithm to 
compute the GCD requires more time than the QFT, and the result follows. 

3.5. The General Finite Abelian Group. We want to generalize the cyclic case 
algorithm to all finite abelian groups. This discussion is a mixture of p3l and p6| , 
with unified notation, and minor changes and corrections. 

A basic result about finite abelian groups is the following structure theorem 
(Lang ||): 

Theorem 3.5. Every finite abelian group G is a direct sum of cyclic groups. 
That is, G = © Zjv 2 © . . . Z]^ k . Given generators for G, finding the N is 



hard classically, but Cheung and Mosca |2q] (Theorem 5.23 below) give an efficient 
quantum algorithm to find the N. For example, given the cyclic group Zjv, there is 
no known efficient classical algorithm to find the decomposition of the multiplicative 
group 7/ N of integers relatively prime to N. Yet classically we can compute within 
this group efficiently. 

So from now on, we assume we know the decomposition of our finite abelian 
group G, and can compute in G efficiently both classically (and hence) quantum 
mechanically. 

Let G = liNt © • • • © ^N k be a finite additive abelian group, and assume we 
have a function / from G to a finite set X, such tha t there is a subgroup H < G 



such that / separates cosets of H as in section p.l\ Denote elements of G as k- 
tuples: g = (<7i, . . . , <?&), where we view gj either as an integer mod Nj or an integer 
G {0, 1, . . . , Nj — 1}. Write — g for the (additive) inverse of g G G. 

To generalize the cyclic group Fourier transform Fn to an arbitrary finite abelian 
group, we need some representation the ory, specifically character theory, and to this 



area we now turn. See also section 4.2 for representation theory basics. 



3.5.1. Character Theory of Finite Abelian Groups. To define a Fourier transform 
over G, we need to generalize the uj^ terms from the cyclic case, basically by 
putting one such term for each entry in the fc-tuple description of G. 

Definition 3.6. A character of a group G is a group homomorphism from G to 
the multiplicative group of nonzero complex numbers C* . 

Recall this is then just a map of sets \ : G — > C* such that 

(46) x(gi + .92) = X(si)x(ff2) 



17 The GCD complexity follows from 0(log N) time algorithms for division in Jl5| and that the 
most steps used in the Euclidean algorithm happens when the input is two consecutive Fibonacci 
numbers multiplied by an integer. 
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We think of G as having an additive structure, and C* a multiplicative structure. 
From this simple definition we derive some tools and facts which will allow us to 
finish the HSP discussion for finite abelian groups. 

Our first task is to describe all characters x '■ G — > C*. Denote the identity of G 
by e = (0, 0, . . . , 0); the identity of C* is 1. 

Let x '■ G — > C* be a character (so x( n 9) = x(flO" f° r an y integer n and group 
element g). Let f3 1 = (1, 0, 0, . . . , 0) G G, (3 2 = (0, 1, 0, . . . , 0) G G,...,0 k = 
(0, 0, ... , 0, 1) G G. Then for any element g = (gi, g2, ■ ■ ■ , gu) we have 

(47) xig) = x(l>flj 

k 

(48) = Ux(AiY h 

3=1 

so x is completely determined by its values on the f3j. Since /3j has order Nj, x(ftj) 
must have order dividing Nj, for each j. Then we must have 18 that x(Pj) = 
for some integer hj. It is sufficient to consider hj G {0, 1, ... , Nj — 1} since the 
values of uj^- are periodic, so any given character x '■ G — > C* is determined by a 
fc-tuple (hi,h 2 , ■ ■ ■ ,hk), which may be viewed as an element h G G. This allows 
labelling each distinct character x by an element of G: for each g G G define the 
character Xg '■ G — > C* via Xg(h) = Y[j=i : f° r ^ S G. From this definition we 
notice that for all g, h G G 

(50) *» ( -" ) - 

Let x(G) denote the set of all such homomorphisms, which is a group under the 
operation XgiXg 2 = Xgi+g 2 w hh identity Xe- Then we prove 
Theorem 3.7. For a finite abelian group G, x(G) = G. 

Proof. From the discussion above, there is a set bijection between the two sets 
given (in one direction) by a : g — > Xgi which is also a group isomorphism. The 
identity e = (0,0,..., 0) G G is sent to the identity a(e) = Xe m x(G), and 
a(ffl +92) = Xgi+go = XgiXg-i = ^(gi)a{g 2 ), making a a group homomorphism and 
a set bijection, thus an isomorphism. □ 

In the cyclic QFT algorithm, wc sampled elements that were multiples of the 
generator of the subgroup H, and to generalize this to the finite abelian case where 
there may not be a single generator, we introduce orthogonal elements. For any 
subset X C G, we say an element h G G is orthogonal to X if Xh{ x ) = 1 f° r au 
x G X . Then for any subgroup H < G we define the orthogonal subgroup 

(51) H 1 - = {g G G\x g (h) = 1 for all h G H} 

as the set of all elements in G orthogonal to H. H- 1 is a subgroup of G as follows: 
the identity e G G is in HI. since Xe(g) = 1 for all g G G, and if a, 6 G H 1 - then 
for any /i G H we have x?i (a — &) = Xfc ( a ) Ixh (b) — 1 so a — 6 G i? ^ , and i/- 1 is a 
subgroup of G. 



18 Recall a;jv is a primitive N th root of unity, from section 1.3 
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Note 3.8. These orthogonal subgroups are not quite like orthogonal subspaces. 
For example, we could have nontrivial H fl H , unlike the vector space example. 
Here is an example following |36| where H = H- 1 ^ G. Let G = Z4, H = {0,2}. 
Then H 1 ^ = {(a) G G\{i) ah = 1 for all (h) G H} = {{a)\(-l) a = 1} = H. This can 
be extended to give examples of varying weirdncss. 

Another useful fact is 

Theorem 3.9. Let G be a finite abelian group, and x S x{G) a fixed character, 
and Xe the identity character sending G — > 1. Then 

(52) E = ('o 1 % X Z X& 



Proof. Fix G = Zjv x © • • • © %N k , and by theorem |3.7| fix h G G with x = Xh- Using 
the notation above, 

(53) ]Tx.(<?) = 

gee 



(54) 





h k g k 



If some cj^. 7^ 1, then the geometric series Y) 3J av x {/^n. J = ^> making the entire 
product 0. This happens if and only if Xh 7^ Xe- If Xh = Xe then the sum is |G|. □ 

We now prove some relations between H and 

Theorem 3.10. With the notation above, 

(55) G/H S i?- 1 

(56) i?- 1 - 1 = if 



Proof. Using theorem |3.7| , we already have H 1 - = x(i? J ") and x(G/ff) = G/iJ, so 
it is enough to prove x(-ff" L ) — x{G/H). For any element g G G let g denote the 
image in G/H under the projection map it : G — > G/H. Note that any character 
X/i' G x(H ) coming from an element h' G H can also be viewed as a character 
on G, since /i' is also in G. Then define a map a : x{H^) — > x{G/H) via 

("X) (5) = Xft' (5) 

where 7? € G/i? and p is any coset representative, i.e., ~g = g + H . We will show a 
is a group isomorphism. 

a is well defined since if g\ and 32 are different representations of the same 
coset ~g~T = 52, then there is an h G H with gi — 52 = h, giving (ctXh')(9i) = 
Xh'(gi) * 1 = + /l ) = Xh'(ff2) = (aXfc'Xfls)' For tne identity Xe £ x(^) and 

any g G G/i? we have (axe)(s) = Xe(g) = F so «Xe is the identity in \{G/H). 
Also for (3) G G Mx/uX^ ))(<?) = (aOtfci+h a ))(ff) = Xh 1 +h 2 (9) = X/u (ff)Xh 2 (flO = 
(( a Xh 1 ){cvXh 2 ))(g)> so a is a group homomorphism. 

To show a is injective, suppose for some h! G that axh> is the identity in 
x(G/H). Take any g G G. ctXft'Q?) = 1 implies Xfc'G?) = 1) and since this is for any 
,g G G, we have x/i' = Xe- G = x(G) then gives h! = e, and thus a is injective. 
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Now all we need is to show alpha is surjective. Let x € X^/H. The composite 
map with the projection n : G — > G/H gives a homomorphism x = X ° 77 '■ G ~^ 
G/H — > C*, thus is a character, say Xt, for some fixed t G G. For h G H this 
evaluates to Xt{h) = x(e) = 1, so i G i?^, and xt £ xiH^)- To show ax* = X; let 
g G and compute: (aXt)(<?) = Xt(ff) = X^Cs) = xG?)- Tnus " is surjective 

and thus a group isomorphism. 

To show H^ 1 ^ = H start with the isomorphism already proven: \G/H\ = l-ff" 1 ! 
gives \G/H^\ = \H\ and also implies \G/H^\ = \H ±A -\, giving \H\ = \H XX \. Fix 
h G H. By definition H^ 1 ^ = {g G G\x g {h') = 1 for all h' G ff- 1 }. In particular 
Xh{h') = Xh'ih) = 1 for all /i' G H 1 - by the definition of H^~, so we have /i G 
giving # C ff- 1 - 1 . Thus i? = i?- 1 - 1 . □ 

3.5.2. The General Finite Abelian Group Quantum Fourier Transform. We con- 
tinue the notation from the previous section. Similar to the cyclic QFT algorithm 
returning multiples of the generator of H (which is really the orthogonal subgroup) , 
this general finite abelian QFT algorithm will return elements of the orthogonal 
subgroup H 1 - . We start with the Fourier transform. 

We define three quantum operators over the group G: the Fourier transform Fg 
over G, the translation operator r t for a t G G, and the phase-change operator 4>h 
for h € G as 

(57) F G = -}= X 9 {h)\g){h\ 

V l G l g.hEG 

(58) n = J2\ t + 9)(9\ 

(59) & = ^x g (h)\g){g\ 

g£G 

Note that for cyclic G = "Ln the Fourier transform is the same as earlier in 



section 3.3, since then Xh{g) = e - « , and we recover the earlier algorithm. 

First we check that the Fourier transform maps a subgroup H to its orthogonal 
subgroup H . 

Theorem 3.11. 

(60) F G \H) = \H^) 

Proof. Recall from the definition of a subset \H) = 77= J2heH IM- Then 



(61) F G \H) = -j= £ Xg{h >)\g){h>\-±=J^\h) 

Vl G l g, h >£G V\ H \ heH 

(62) = -j^= £ X g (h')\9)(h'\h) 

v\ G \\ H \ g . h . eG 



(64) = 7wW\ ^ 1 ^ x ' w 1 19> 



£(i>»m) 
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Now consider the coefficient Y^he h X qW °f the ket \g). The G character Xg is 
also a character of H, so by theorem 3.9 the sum is unless the character is the 
identity on H, in which case the sum is \H\. Xg is the identity on H precisely when 
X g (h) = 1 for all h G H, i.e., g <G H^. So equation 64 becomes 



(65) 
(66) 



E ™ = 




E \9) 



geH 1 



where wc used theorem 3.10 



tn p-et iMl — 1 
get Tcf - rgr] • 



□ 



We also have 



Theorem 3.12 (Commutative laws of the G-operators). for every h,t G G 



(67) 
(68) 
(69) 



Xh{t)T t <i>h = 4>hT t 

Fg$k = t-hFg 
F G T t = <j>tF G 



Proof. We prove the last one, which is the only one we explicitly use. The rest are 
similar. We use the identity / = J2 g <£ G IffXsl- 



F G T t = 



-L E Xg(h)\g)(h\) l^2\t + g')(g'\ 

V l G l g,h<=G J \g>GG 

= E Xg(h)\g)(h\t + g')(g'\ 
l G l 



g,g',heG 



' ' g,g'&G 



= E Xg{t)Xg{g')\9)( 9 '\ 
l G l 9,9'6G 



E X 9 Wx s (g')|a)(a|5)(5'l 

1^1 a, M '6G 

= E XaWx s (. 9 ')l«)(«l.9)(.9'l 

l G l a,g.g'EG 



= (Exa(t)ia><*i ] [-1= e x ff a/)iff)o/i I 

Wg / \V l G l 9l9 '6G / 



= <t>tF G 



□ 



Then the algorithm becomes: 
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(1) Apply the quantum Fourier transform 19 to the first register of the zero state 
on two registers: 

|Q)|o)^-^El5)lo) 

obtaining a superposition over all elements of G. 

(2) Apply the coset separating function /: 

X>>l/G?)> 



and as before, / constant and distinct on cosets allows the simplification 



I I ter 

L5>ii7>i/(t)> 



v \ ± i teT 

where T = {t±, . . . , t m } is a transversal (set of coset representatives) for H 
in G. 

(3) Apply the Fourier transform Fq to the first register, and apply theorems 



3.11 and 3.12 



f g 1 



t\T\ 
1 

W\ 

1 



VW 1 



J2F G rt\H)\f(t)) 
teT 

Y,4>tF G \H)\f{t)) 

T 

Y,<t>AH X )\f{t)) 



teT 



teT 



We used that \T\ = \G\/\H\ = \H^\ by theorem ^ic| . Note we could have 



measured the second register as in the cyclic case, but a fact called "The 
Principle of Deferred Measurement" allows us to measure at the end 20 . 
(4) Measure the first register, obtaining a random element (uniformly dis- 
tributed) of H . Note that the phase <f>t does not affect amplitudes, so 
we could measure the second register first if we desired, fixing a to, as 
mentioned in the previous step. 

This algorithm returns uniformly distributed random elements of H^. Since 
(H- 1 ) 1 - = H, determining a generating set for H 1 - determines H uniquely. The 
following discussion comes from |3^] , with details not mentioned there to make the 
results preci se. 

Theorem D.l in appendix [d| proves that choosing t+ [log \G\~\ uniformly random 
elements of a finite group G will generate G with probability greater than 1 — ^ . 



19 Usually the inverse transform is applied here, but this has the same effect for the |0) state. 
Jit?! Lemma 8] allows quicker setting of these superposed states with high probability. 

you will see we still get the desired outcome whether or not we measure twice, or only 
once at the end. 
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For the moment assume we have chosen a generating 21 set g 1 , g 2 , . . . ,g l for H^. 
We want to find efficiently a generating set for H, finishing the algorithm. Since 
H- 1 - 1 = H . an element h £ H if and only if Xh{h'j) = 1 for all j = 1, 2, . . . , t. Next 
we make these relations linear. 

Let d = LCM{iVi,^2,...,iV fe }. Set m = d/N u giving uj Ni = uj* 1 . Then 

Xh(g^) = nf=i Ud' hl91 = 1 if and only if J2i=i a i^i9i = (mod d). So to find 
elements of H , we find random solutions to the system of t linear equations 

a\g\Xi + a 2 g\X 2 + h a k g\X k = (mod d) 

a 1 g\X 1 + a 2 g\X 2 H V a k g\X k = (mod d) 

(70) . . 

aigJXi + a 2 ff2^2 H h a k g l k X k = (mod d) 

We do the following. Run the algorithm T = t\+ [log |G|] times, giving elements 
g 1 ,g 2 ,...,g T e H^-. Since if- 1 C G, these elements generate H - 1 with probability 
pi > 1 — 1/2' 1 . We want to sample solutions to the system of equations [70] randomly 
and uniformly, to get S = t 2 + [log \G\~\ samples of H, which would generate H with 
probability p 2 > 1 — 1/2' 2 . To sample the solutions, view the equations in matrix 
form AX = (mod d), and then compute the Smith normal form 22 of A, that 
is, a diagonal matrix D such that D = UAV with U and V being integer valued 
invertible matrices. Then we can uniformly randomly find solutions to DY = 
(mod d) by solving simple linear congruences, and then compute X = VY , which 
is a uniformly randomly selected solution to the system of equations (7TJ. This 
determines generators of H with probability at least (1 — 5^r)(l ~ 2^2")- 

Note that Fq = <8>^ =1 -Fjv,-, so we compute it by using the cyclic case algorithm 



from section 3.4.4, with the time complexity listed there. Choosing t\ = t 2 = 
[log |G|] + 1 gives a probability of success at least 1 — -rL-. After obtaining the 
system of equations we compute D and V in time 0(log |G| log log |G|) as in 



120 . Then we sample the resulting system 0(log|G|) times, and convert the 
answers to solutions to [70[ totaling a time 0(poly(log |G|)). 

Thus we have proven the following (partially stated in Ettinger and Efoyer 
theorem 2.2.) 

Theorem 3.13 (Finite abelian HSP algorithm). Given a finite abelian group G, a 
finite set X , and a function f : G — > X that separates cosets of H for some subgroup 
H < G, then there exists a quantum algorithm that outputs a subset S C H such 
that S is a generating set for H with probability at least 1 — 1/|G|. The algorithm 
uses 0(log|G|) evaluations of f, and runs in time polynomial in log|G| and in the 
time required to compute f, using a quantum circuit of size 0(log |G| log log |G|). 

3.6. The Standard Problems. Now that we can efficiently find hidden subgroups 
of finite abelian groups, we show a few examples of how to use the algorithms. For 
a longer list of examples, see [p^ , Figure 5.5]. We merely mention some algorithms 
that fall into this framework: Dcutsch's algorith m |37|| (modified by Clcve) , Deutsch 
and Jozsa's algorithm B8|, Simon's algorithm Eg], Shor's factoring and discrete 



21 Here the exponent does not denote power, but is used since later we will use subscripts on 
these elem ents. 

22 [ 120 shows how to compute the Smith Normal D = U AV form of an m X n integer matrix A 
mod d in time 0(n 2 m), and recover the U and V in time 0(n 2 m log c (n 2 m)), for some constant 
c>0. 
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log algorithms [ 1 1 5 1 , hidden linear function algorithms, and the abelian stabilizer 



algorithm []77j. Now on to two examples. 



3.6.1. Simons Algorithm. Simon's [118| algorithm distinguishes a trivial subgroup 
from an order 2 subgroup over the additive group Z^. He showed that a classical 
probabilistic oracle requires exponentially many (in n) more oracle queries than a 
quantum algorithm to distinguish the two subgroup types with probability greater 
than 1/2, giving a major boost to the argument that quantum computers may be 
more powerful than classical ones. He posed the following problem in 1994 (modified 
somewhat to fit our discussion): 

GIVEN a function / : Z£ — » Z™ with m > n, and such that there is a constant 
s € Z£ for which f(x) = f{x') if and only if x = x' © s, where © is componentwise 
(binary) addition. 

FIND s. 

Here the subgroup is H — {0, s] < G = Z£ , and so we can find it quickly with 



high probability using the algorithm from theorem 3.13 . However, to solve this 
classically, one may have to call / 0(|G|) times, evaluating / on many points, to 
find the value s. 



3.6.2. Shor's Factoring Algorithm. Shor | 114 | generalizes Simon's algorithm to ob 



tain an integer factorization (and discrete log) algorithm. A good explanation is 
also i n [|69[ . Integer factorization is classically very hard (see Lenstra and Pomer- 
ancc [jnj), and is the basis of the widely used public key cryptography algorithm 
RSA. Shor's Integer Factorization Algorithm reduces to finding the order r of an 
integer x mod N, that is, the smallest r such that x r = 1 mod N. We wish to 
factor a composite integer N > 0, and it suffices to find a non-trivial solution to 
x 2 = 1 mod N, then x + 1 or x — 1 is a factor of N. A randomly chosen y relatively 
prime to N is likely to have even order, giving the solution x = y( r / 2 \ All of this, 
except the order finding part, is efficient classically. Thus the hard part of the prob- 
lem is to find the order of a given x modulo N. In other words, f(a) = x a mod N, 
so f(a + r) = f(a) for all a, and the HSP finds the generator r of the subgroup 
(r) = H <G = Zjv. 

3.7. Conclusion. In conclusion, we have shown that for any finite abelian group 
G, and any efficiently computable function / that separates cosets of some subgroup 
H < G, we can efficiently find a generating set for H with high probability. This 



was summarized in theorem 3.13 



In the process of doing this we isolated a few items needed to construct an 
efficient HSP algorithm for a group G: 

(1) An efficient way is needed to compute the quantum Fourier transform over 
the group G. This evolved from the simple Fourier transform, through a 
more abstract one involving character theory, and in the general setting 
will involve representation theory 23 to define the Fourier transform over 
nonabclian groups. 

(2) An efficient way is needed to compute the coset separating function /. 
For Shor's algorithm this is raising an integer to a power mod N, which is 
efficient classically. Simon's algorithm had bitwise addition as the function, 
which also is efficient classically. 



23 See section 4.2 for representation theory basics. 
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(3) Finally, these HSP algorithms needed some post processing to extract the 
desired information from the randomly sampled elements of the orthogonal 
subgroup. This will turn out to be hard for nonabclian groups. Groups arc 
known with efficient quantum Fourier transforms, but no known polynomial 
time algorithm is available to reconstruct hidden subgroups. 

With that said, let's begin analyzing the general (nonabelian case). 



4. The General Hidden Subgroup Problem 

Why do we want to find hidden subgroups of nonabelian groups? An efficient 
abelian HSP algorithm yielded an integer factoring algorithm which is exponen- 
tially faster than any known classical algorithm. Similarly, finding efficient HSP 
algorithms over certain nonabelian groups would yield algorithms faster than any 
known classical ones for several important problems, two of which we now explain. 



4.1. Importance. One of the main reasons much research has been done into the 
HSP problem for nonabelian groups is the desire to find an efficient algorithm for the 
Graph Isomorphism problem: when are two graphs isomorphic? This algorithm has 
eluded researchers for over thirty years 1 81 , |94| . Appendix |b] shows equivalences 
between several graph related algorithms, and describes several reductions. One 
reduction shown in appendix [b| gives that if the HSP could be solved efficiently for 
the symmetric group S n , then we would have a polynomial time algorithm for the 
Graph Isomorphism Problem. 

Another reason is that an efficient algorithm for solving the HSP for the dihedral 
group D n would yield a fast algorithm for finding the shortest vector in a lattice, 
first shown by Regev [107]. This would yield another algorithm whose classical 
counterpart is much less efficient than the quantum version. Finding the shortest 
lattice vector has many uses, including applications to cryptography. 

Before we cover the nonabclian HSP, we need to generalize the QFT algorithm, 
which is what the rest of this section will do. Then section |^ will list the main 
results known so far for the nonabclian HSP. 



4.2. Representation Theory Overview. To generalize the abelian QFT algo- 
rithm, we need the nonabelian analogue of the Fourier transform. The method 
explained in section 3.5 shows the general machinery: we need representations of 
the group G. What follows is a brief overview of representation theory, whic h can 
be seen in detail in either of the excellent texts Fulton-Harris [[33) or Serrc [ 113 1 . 
We only cover enough of the definitions and facts to define precisely the quantum 
Fourier transform for finite groups. Some definitions and facts: 

Representation. A representation p of a group G is a group homomorphism 
p : G — ► GL(V) where V is a vector space over a field F. For our purposes G 
will be finite, V will be finite dimensional of (varying) dimension d, and the field 
F will be the complex numbers C. Fixing a basis of V, each g £ G gives rise to a 
d x d invertible matrix p(g), which we can take to be unitary. The dimension d p 
of the representation is the dimension d of V. We will often use the term irrep as 
shorthand for an irreducible representation. 

We say two representations p\ : G — > GL(V) and p2 : G — > GL(W) are isomor- 
phic when there is a linear vector space isomorphism <j> : V = W such that for all 
g £ G and v £ V, p\{g){v) = p2{g){4>{v)). In this case we write p\ = pi- 
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Irreducibility. We say a subspace W C V is an invariant subspace of a rep- 
resentation p if p(g)W C W for all g E G. Thus the zero subspace and the total 
space V are invariant subspaces. If there are no nonzero proper subspaces, the 
representation is said to be irreducible. 

Decomposition. When a representation does have a nonzero proper subspace 
Vi £ Vy it is always possible to find a complementary invariant subspace V% so that 
V = Vi ffi V2. The restriction of p to Vj is written p^, and these give representations 
Pi : G — ► GL(Vi). Then p = pi © P2, and there is a basis of so that each matrix 
p(g) is in block diagonal form with a block for each /?,. 

Complete reducibility. Repeating the decomposition process, we obtain for 
any representation a decomposition p = pi © • • • © Pfc , where each representation pi 
is irreducible. This is unique up to permutation of isomorphic factors. 

Complete set of irreducibles. Given a group G, there are a finite number of 
irreducible representations up to isomorphism. We label this set G. Then we have 
the fact 

(71) |G|=XX 

pEG 

Characters. To a representation p is associated a character \ p defined by 
Xp{g) = tr(p(g)), where tr is the trace of the matrix. It is basis independent. An 
alternative, equivalent description is that a character is a group homomorphism x '■ 
G — > C* where C* denotes complex numbers of unit length, and the operation in C is 



multiplication, as we saw in section 3.5. Characters are fixed on conjugacy classes, 
which follows easily from the second definition: x(/i<7/i ) = x(h>)x{9)x{h~ ) = 

x(g). 

Orthogonality of characters. For two functions /1 , fa : G — ► C, there is a 
natural inner product (fi,f2) G = y^y X) 9 eG )/2(ff)* where * denotes complex 
conjugation. The main fact is: given the character xp °f a representation p and 
the character Xi of an irreducible representation the inner product (xpjXi)^ is 
exactly the number of times the representation pi appears in the decomposition of 
p into irreducibles. Taking each p as unitary simplifies the inner product to 

(x P ,Xi) G = T^^Xpi^Xiig' 1 ) 

Orthogonality of the second kind. Let C be a conjugacy class of G. Since 
a character xp is fixed on a conjugacy class, let this value be Xp(G)- Then 



E 



\x P (C)\ 2 = ^ 



pec 

The Regular Representation. Take dim^ = |G|, and fix a basis of V in- 
dexed by elements of G, labelling the basis as e g . Then the regular representation 
p G ■ G — > GL(V) is defined by G permuting the basis elements, i.e., pc(g) 
extended C-linearly. Thus the dimension of the regular representation is \G\. An- 
other way to view this representation is as the group algebra C[G]. 

The regular representation contains as subreprescntations every irreducible rep- 
resentation of G. If p±, . . . , pk are all the possible irreducible representations of G, 
then 

PG = Pi © ' ' ' © P k 
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that is, each irreducible pi is contained exactly d Pi times. This yields the important 
relation in equation fn]. Taking the character associated to this gives, for g E G, 
the "regular character" 



(72) xg(9) = V d pXp {g) = 



if g e 



-PApva; I JV if <? = e 

pGG 

where the last equality is obtained by noting that p(g) acts on C[G] by permuting 
basis elements, so the trace is if g ^ e (all basis elements are permuted by any 
non-identity element g, so the diagonal is all O's) and is otherwise N. 

The Induced Representation. Given a representation p : H — > GL(VF) of a 
subgroup H in a group G, we can define a way to extend this to a representation 
on G written Ind^p : G — > GL(y), unique up to isomorphism. The idea is to make 
copies of W for each coset of H in G, and let cosets permute the copies. So let 
A = {e, Ti, . . . , Tfc} be a complete set of coset representatives, and let V = ® T ehW T . 
Then any g € G can be written g = r g h g for some representative r 9 eA and h g £ if, 
which acts on V via T ff ft, s (®W T ) = ®h g W TgT . 

For representation theory on various groups, most notably the symmetric group 



S n , see James and Kerber J67[ , Kerber [[75| |T^] , and Simon [ 117 1 - A package for 
constructive representation theory is |M . 

4.3. The General Fourier Transform. With the machinery above, we can de- 
fine the general Fourier transform which works for any finite group, abelian or 
nonabclian. 

Definition 4.1 (Fourier Transform over a finite group). Let G be a finite group of 
order N , f : G — > C any map of sets. For an irreducible representation p of G of 
dimension d p , define the Fourier transform of f at p to be 

(73) f{p) = M y £f{9)p{g) 

gee 

Let G be a complete set of irreducible representations of G. We define the inverse 
Fourier transform of f to be 

(74) /(<?) = E ^ tr {hp)pi.g- 1 )) 

p<£G 

To ensure this definition makes sense, we check that the /(<?) in the definition of 
the inverse is actually the / we started with, by substituting the definition of / in 
the definition for the inverse, and swapping the order of summation, obtaining 

(75) i M E d A W9- 1 )) = f(g), 

where we note the rightmost sum is by equation [72] unless g' = g, in which case 
that sum is N, so the equality follows. Thus the definition agrees with the initial 

To understand this as a Fourier transform, we associate / and / with vectors 
in C , and examine the map r : / — > /. To do this, fix an ordering of G = 
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{<7i, g2, . . . , <?jv}, and then / is equivalent to a vector we also label /, 

.f=(.f(9i),.f(92),.-.,.f(9N))eC N . 

To view / as a vector in C N , we need more choices. Fix an ordering G = 
{pi, p2, ■ ■ ■ , Pm}, let dk = d Pk , and for each pk : G — > GL(C d,i ) fix a basis of 
C dk , so each /(p/c) is a 4 x dfc matrix. We choose each basis as explained in the 
following paragraph so each f(pk) is a unitary matrix. This is required to make the 
final transform unitary, thus an allowable quantum transform. Since ^2 p d 2 p = N, 
there are ./V matrix entries, which we order. For brevity label the matrix entry 
f{pk)ij = fijk- Then we can associate / with a vector 



/ — {Jul, /121, ■ ■ ■ , fd 



Viewing r : / — > / as a map from C N to itself, it is not hard to show V is linear. 
It is a good exercise to show T is a unitary transformation when viewed this way. 

In order to make the final operation unitary, which is required by quantum 
mechanics, we need to choose each of the bases needed above so that each f(pk) is 
a unitary matrix. This is possible, and can be worked out from exercises in Harris 
and Fulton ]63j . The rough idea is as follows: On each C dfe take the standard 
basis, and the standard Hermitian product (v,w) H = Xa=i v i w l ■ Average over 
G to make a G-invariant Hermitian norm, (v,w) = ^2 g£G (gv, gw) H . Finally use 
Gram-Schmidt with this G-invariant norm to get a new orthonormal basis (relative 
to the new norm). Use this basis change to get a matrix for pk, which will be 
unitary. Then the final matrix for the entire Fourier transform will be unitary, as 
desired. 

Note in the finite abelian case each irreducible representation is one dimensional, 
so each d p = I, and then the only representations are given by the characters in 



section 3.5. Then T becomes the finite abelian Fourier transform, and this definition 



generalizes the definition given earlier. 



4.4. The Standard HSP Algorithm - Quantum Fourier Sampling. We now 

cover what is called the standard algorithm for finding hidden subgroups of a given 
group. The complexity and qubit requirements depend on the group in question; 
we will cover what is known in section |^. This section follows Hallgrcn [ |j9| and 
Grigni, Schulman, Vazirani, and Vazirani |53| |. 

The process about to be described is called Quantum Fourier Sampling, 
or QFS for short. It is the process of preparing a quantum state in a uniform 
superposition of states indexed by a group, then performing an oracle function, 
then a quantum Fourier transform, and finally sampling the resulting state to gather 
information about subgroups hidden by the oracle. 

We first note the standard finite abelian group case can be summarized as: 
[Algorithm 1] 

(1) Compute /, J2 a eG 1.9)1/(5)) an d measure the second register f{g). The 
resulting superposition is then Y^heH l c ^)l/( c ^)) f° r some uniformly 
chosen coset cH of H . 
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(2) Compute the Fourier transform of the coset state, obtaining in the first 
register 



E -if=ffm E 



where G is the set of (irreducible) representations 24 {p : G — > C}. 

(3) Measure the register, and observe a representation p. This gives information 
about H. 

(4) Classically process the information from the previous step to determine the 
hidden subgroup H. 

We can generalize this to handle the nonabelian and abelian cases in one frame- 
work via 

[Algorithm 2] 

(1) Compute , S^qgG 15)1/(5)) an d measure the second register /(<?). The 
resulting superposition is then —7= ^2heH l c ^)l/( c ^)) f° r some uniformly 



/\H\ 

chosen coset cH of H . 
(2) Compute the Fourier transform of the coset state, obtaining in the first 
register 



where G is the set of (irreducible) representations {p : G — > C}. 

(3) Weak form: Measure the register, and observe a representation p. This 
gives information about H. 

Strong form: Measure the register, and observe a representation p as well 
as matrix indices i and j. This gives information about H. 

(4) Classically process the information from the previous step to determine the 
hidden subgroup H. 

This algorithm gives information useful for finding generators of the hidden sub- 
group H. Ignoring the problem of engineering the physical quantum computer, 
there are three theoretical obstacles to making this algorithm efficient for a given 
family of nonabelian groups. They are: 

(1) We need an efficient way to compute the QFT over the groups in question, 
similar to the way that equation [36] led to an efficient quantum circuit 
computing the QFT over Z2**. Beals |H constructs an efficient QFT for 
the symmetric groups, and Diaconis and Rockmore fl39| construct efficient 
classical Fourier transforms over many other groups. For more information 
on the QFT see @ ^ fl], fH and section § Efficient QFT quantum 
circuits are not known for all finite groups. 

(2) We need to choose a basis for the irreducible representations p £ G. For the 
abelian case, the irreducible representations are one dimensional characters, 
so the basis choices are canonical, so this step is trivial. However, in the 
nonabelian case some bases may give better results. For example, it is 
known the standard method cannot solve the HSP over S n if the basis 



24 In the abelian case these are the same as the characters. 
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choice is random - it will take a clever basis choice for the irreducibles to 
obtain an efficient algorithm. 
(3) We need an efficient way to reconstruct the subgroup generators for H 
from the irreducible representations returned. For the abelian case this 
is efficient since they are canonical and computing the GCD and solving 



linear systems mod d arc efficient classically as explained in section 3.5 
However, this reconstruction is harder in the nonabclian case. For example, 
Ettinger, tfoyer, and Knill J46[ have shown only polynomially many calls in 
log |G| to the oracle distinguishes subgroups for any group G information 
theoretically, but it is currently unknown how to extract generators for H 
without exponential classical postprocessing time. 

One immediate question is if the weak and strong forms are equivalent. Sec- 
tion H shows the strong form can distinguish between certain subgroups which the 
weak form cannot. The reason is roughly that conjugate subgroups determine the 
same statistics on representations, but not on rows and columns, which gives more 
information. However, there are still cases where the weak form is good enough. 

The next question is to ask which groups have efficient HSP algorithms, and are 
there any groups for which the HSP cannot be solved efficiently? 

These questions are ongoing research problems, and there are partial results 
showing which groups arc likely to be efficiently solvable, and some negative results 
showing limitations of this approach. The next section covers many known results 
and current research directions. 

For more reading on the (classical) computation of FFT's over finite groups, see 
Babai and Ronyai ||, Ba um |p|, Baum and Clausen |Io[ pT| , Baum, Clausen, 
and Tietz ||, Rockmore |lulfllOSl, |TTc|l , and Terras pij . 

5. NONABELIAN RESULTS 

5.1. Overview. In this section we present results about the HSP over finite non- 
abelian groups. Throughout this section we fix notation: G is a member of a family 
of finite groups G = {Gi} that should be clear from context, and H is a subgroup 
of G. The size n of the problem is n = [log |G|] or sometimes n = 0(log \G\), also 
clear from context. We say a quantum algorithm is efficient in either case if the 
circuit size is polynomial in n as G varies through the family. 

We also divide families of groups into three classes (following Moore, Rockmore, 
Russell, and Schulman[p7|): 

I. Fully Reconstructible. Subgroups of a family of groups G = {Gi} are 
fully reconstructible if the HSP on Gi can be solved with probability > | 
by a quantum circuit of size polynomial in log \ G%\. 
II. Measurement Reconstructible. Subgroups of a family of groups G = 
{Gi} are measurement reconstructible if the solution to the HSP on G, is 
determined information-theoretically using the fully measured result of a 
quantum circuit of size polynomial in log |G;|. 
III. Query Reconstructible. Subgroups of a family of groups G = {Gi} are 
query reconstructible if the solution to the HSP for Gi is determined by 
the quantum state resulting from a quantum circuit of size polynomial in 
log | Gi|, in the sense that there is a POVM that yields the subgroup H 
with constant probability. There is no guarantee that this POVM can be 
implemented by a small quantum circuit. 
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A primary goal of quantum algorithm research is to move groups into lower 
numbered classes, and the driving force is to place all finite groups in class I. 
Currently very few group families are class I, but we will sec all finite groups are in 
class III, with some moving up to class II and I. This is contrasted with what we 
saw above: all finite abclian groups are in class I. We will see examples of each of 
the three classes below. 



5.2. A Necessary Result. In order to find an efficient quantum algorithm for a 
given family, it is necessary that 0(poly(n)) oracle queries suffices. Fortunately this 
has been shown possible for any finite group by Ettinger, H0ycr, and Knilljl6|, [ItJ. 
They prove that polynomially many oracle queries in n distinguishes subgroups 
information theoretically. They do this by creating the state 



1 



( 76 ) W = /T^fw H \9i,92,---,g m )\f(gi)J(g2),---,f(g m )) 

which requires m oracle queries. Taking m = \An + 2] results in a state from 
which H can be extracted with high probability, unfortunately requiring 0(|G|) 
operations to do so. Precisely, they prove 

Theorem 5.1. Let G be a finite group, and f an oracle function on G which 
separates a subgroup H . Then there exists a quantum algorithm that calls the oracle 
function |41og|G| + 2] times and outputs a subset X C G such that X — H with 
probability at least 1 — 1/\G\ . 

So for any finite group G and subgroup H it is possible to gather enough informa- 
tion to determine H using only 0(poly(log |G|)) queries of /, thus placing all finite 
groups in class III. Their proof is reproduced in section [5.7] since it is foundational. 

5.3. The Dihedral Group Dm- Many attempts have been made to find an effi- 
cient HSP algorithm for the dihedral groups. One reason is that it one of the "sim- 
plest" nonabelian groups and is easily studied. Another reason is that they have 
exponentially many (in n) subgroups of small order, making classical algorithms 
infeasible 25 . A better reason is that an efficient HSP algorithm for the dihedral 
groups gives efficient algorithms for solving some classically hard lattice problems 



107 , which is covered below. Recall Zjv is a cyclic group on N elements 26 . Then 



we define the dihedral group — 1*2 x with 2N elements and with relations 
(77) x N = y 2 = yxyx = 1. 

5.3.1. Equivalent Problems. Before we start on dihedral group algorithms, we re- 
mark Kuperberg |32| lists equivalences between the Dihedral HSP (DHSP) and 
other problems. Precisely we define the DHSP as finding a hidden subgroup H 
that is either trivial or generated by a reflection H = (x s y). This is equivalent to 
the general problem of determining subgroups of as we outline below in section 
53^ . 



25p or 

example, it takes exponentially many evaluations of / just to dete rmi ne if H is nontrivial 
with probability bounded above 1/2. This holds for the reasons in Simon [ [lig| ] 

26 We could abstractly call Cjv the cyclic group on N elements, but then Cjv — Zjv, not always 
canonically. We choose the concrete Zjv. 
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Next we define the abelian hidden shift problem to be: given an abelian group 
A, a set S, and two injective functions f,g:A—>S that differ by a hidden shift s 

(78) f(v) = g(v + s) 

and are otherwise distinct, then determine s (using quantum oracles / and <?). 

The DHSP is equivalent to the abelian hidden shift problem with A = Zjy. If 
we define h : Dn — > S by 

(79) h(x n ) = f(n) h(x n y)=g(n), 

then h hides the reflection x s y. Solving the DHSP for h gives s, solving the shift 
problem. Conversely, given the DHSP h : Dn — > S, define /, g as in equation [79| 
Then a solution to the abelian hidden shift problem for / and g determines s, which 
determines the subgroup H hidden by h. 

Generally, the a solution to the HSP on G = Z2 K A where Z2 acts by inversion 
on A is equivalent to the abelian hidden shift problem on A. 

The cyclic hidden reflection problem is: h : TL-^ — > S satisfies 

(80) h(n) = h(s - n) 

and otherwise takes distinct values. We want to find s. This problem is equivalent 
to the DHSP; we show it equivalent to the abelian hidden shift problem as follows. 
It reduces to the shift problem by defining the ordered pairs 

(81) f(n) = (h(-n),h(-n-l)) g{n) = (h(n), h(n + 1)). 

We need pairs to ensure / and g are injective. Then f(n) = g(s + n) and are distinct 
otherwise, giving the reduction. 

Conversely, if /, g : 7*n — > S are injective and 

(82) f(n) = g(s + n) 
then we can define the unordered pairs 

(83) M») ={/(-")>$(»)}• 

which reduces the hidden reflection problem to the shift problem. Note h(n) = 
{f(-n),g(n)} = {g(s - n),f(n - s)} = {/(-(s - n)),g(s - n)} = h(s - n). 

5.3.2. Dihedral Results. Now we cover what is known about the DHSP. 

Ettinger and H0yer show an algorithm that produces data sufficient to de- 
termine any hidden subgroup H in a dihedral group -Djv, but it is unknown if this 
data can be post processed in (9(poly(n)) time to reconstruct the subgroup H. This 
is stronger than the result in p3| since it returns the classical data from the quan- 
tum state. |Q only constructed a state determining H, but required exponential 
time to extract that information to classical information. Their algorithm exploits 
the normality of the (abelian) cyclic group Z^v < -Dat, and uses the abelian QFT 
to gather information which is then extended to determine the subgroup H . They 
reduce to the case of finding a subgroup H generated by a reflection. They prove 

Theorem 5.2. Let f be a function that separates H in the dihedral group -Djv. 
There exists a quantum algorithm that uses 0(logA r ) evaluations of f and outputs 
a subset X C H such that X is a generating set for H with probability at least 
1 _ 2. 

1 N ■ 
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Following Ettinger and H0yer [|45| , we outline the proof that it is sufficient to 
solve the DHSP for the simpler case where H is either trivial or generated by a 
reflection. We want to find the hidden subgroup H < Dn, where we view Dpj 
as the semidirect product 1m x 1i- Using the abelian QFT algorithm, we find 
Hi = H fl {In x {0}}, which is normal in D^. Then we work on the quotient 
group Dn/H\ = Dm with M = [Zjv x {0} : Hi], and find H/Hi which is cither 
generated by a reflection r + Hi or is trivial. Precisely, 

Theorem 5.3. Let f be a function that separates H in the dihedral group Dn, 
and suppose we are promised that H = {0} is trivial or H = {0, r} is generated by 
a reflection r. Then there exists a quantum algorithm that given f , outputs either 
"trivial" or the reflection r. If H is trivial , the output is always trivial, otherwise 
the algorithm outputs r with probability at least 1 — . The algorithm uses at most 
891og 2 (iV) + 7 evaluations of f and it runs in time 0(sfN). 

Finally, Kupcrberg ]82] ] gives a subexponential time quantum algorithm for solv- 
ing the dihedral HSP, using time and query complexity 0(cxp(CVlog N)) for Djy. 



This is much better than the classical query complexity of 0(\JN). Unfortunately 
this algorithm requires 8(exp(CVk>g N)) quantum space. Variants of this algo- 
rithm also work for the abelian hidden shift problem described above and for the 
hidden substring problem 27 . The main results are 

Theorem 5.4. There is an algorithm that finds a hidden reflection in the dihedral 
group G = Dn (of order 2N ) with time and query complexity 0(cxp(C\/log N)). 

Theorem 5.5. The abelian hidden shift problem has an algorithm with time and 
query complexity 0(exp(Cy / ri)) where n is the length of the output, uniformly for 
all finitely generated abelian groups. 

(Note this is even true for infinite groups; we only need finitely generated!) 

Corollary 5.6. The N 2N hidden substring problem has an algorithm with 
time and query complexity 0(exp(C\/log N). 

5.4. Groups with an Efficient QFT. Next we turn to some other groups with 
an efficient QFT. To use the standard weak or strong form of the algorithm, we need 
to be able to compute efficiently the Fourier transform of a function over a given 
group. So in this section we list some of the groups for which efficient quantum 
Fourier transform algorithms are known. 



Zalka 129 gives an algorithm for the HSP on wreath product groups G = TI^llLi- 
The idea is similar to Ettinger and H0yer in that it finds generators for an 
abelian subgroup in the desired subgroup, and then extends it. 

H0yer [Q shows how to construct QFT for many groups: quaternions, a class 
of metacyclic 28 groups (up to phase) , and a certain subgroup E n of the orthogonal 
group 0(2") useful for quantum error correction [ g6fl . 

Beth, Puschel, Rotteler, |2(J show how to do the QFT efficiently on a class of 
groups - solvable 2 groups containing a cyclic normal subgroup of index 2 (|G| is 
a power of 2 and solvable): They give reference to the fact for n > 3 there are 
exactly 4 isomorphism classes of such nonabelian groups of order 2 n+1 with a cyclic 
subgroup of order 2": 



27 See the paper for a precise definition. It is basically a string matching algorithm. 
28 A 

group G is metacyclic if it contains a cyclic normal subgroup H such that the quotient 
group G/H is cyclic. 
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• the dihedral group _D 2 ™+i = (x, y \ x 2 = y 2 = 1, yxyx = l), 

• the quaternion group Q2^+i = ( x i V \ % 2 — y 4 — L y 3 xyx = lV 

• the quasi-dihedral group QD 2 n+i — ( x ,y \ x 2 = y 2 = 1, yxy = x 2 _ /' 

• the group QP 2 "+ 1 = (%>y \ x 2 — y 2 = 1, 2/^2/ = a;2 

Bcals |l4j shows how to compute the QFT over S„ in time 0(poly(n)), by adapt- 
ing the methods of Clausen j3^] and Diaconis-Rockmorc |59| to the quantum setting. 

Moore, Rockmore, and Russell (9(| show how to construct efficient quantum 
Fourier transform circuits of size 0(poly log |G|) for many groups, including 

• the Clifford groups GL„, 

• the symmetric group, recovering Beals algorithm fl4|| , 

• wreath products Gl S n , where \G\ = 0(poly(n)), 

• metabelain groups (semidirect products of two abelian groups), including 
metacyclic groups such as the dihedral and affine groups, recovering the 
algorithm of H0yer Q , 

• bounded extensions of abelian groups such as the generalized quaternions, 
recovering the algorithm of Piischel et al. (2^] . 

Their results also give subexponential size quantum circuits for the linear groups 
GLfc(g), SLfc(q), PGLfc(g), PSLfc(q), for a fixed prime power q, finite groups of 
Lie type, and the Chevalley and Weyl groups. Unfortunately, defining polynomi- 
ally uniform, adapted diameter, homothetic, and multiplicity would take us too far 
afield; sec their paper for details. These have to do with certain group items being 
efficiently computable. But we state their two main theorem anyway: 

Theorem 5.7. If G is a polynomially uniform group with a subgroup tower G = 
G m > G m _i > • ■ ■ > 1 with adapted diameter D , maximum multiplicity M , and 
maximum index I = maxi[Gj : Gi—i], then there is a quantum circuit of size 
poly(J x D x M x log |G|) which computes the quantum Fourier transform over 
G. 

Theorem 5.8. If G is a homothetic extension of H by an abelian group, then the 
quantum Fourier transform of G can be obtained using 0(poly log |G|) elementary 
quantum operations. 

5.5. HSP Algorithms and Groups. 

5.5.1. Group Definitions I. H is a subgroup of G; let N(H) or Nq(H) be the 
normalizer of H in G. Let Mq be the intersection of all normalizers in G, i.e., 
Mq = C\h<g N(H). Mq is a subgroup of G and can be taken to be the size of how 
nonabclian G is ([G : Mq] = 1 for abelian groups). H G is the largest subgroup of 
H that is normal in G, and is called the normal core of H . 

Definition 5.9 (Wreath Product). The wreath product of two finite groups G 
and H is defined as follows. For \H\ = n, view H a subgroup of the symmetric 
group S n on n items. Let P = G x • • • x G be the direct product of n copies of 
G. The wreath product G I H of G with H is a semidirect product P XI H with 
multiplication 



(84) 



(,9i, ■ ■ -,9n,T) (g[, . . .,g' n ;T') = {g T >(i)g'i, ■ ■ ■ , SV'(7>)ff n ; tt') 
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That is, the permutations in H are composed as usual, but the right permutation 
permutes the left factors of P and then the n-tuple is multiplied pointwise. It is 
instructive to verify this operation forms a group. 

5.5.2. Normal Subgroups Can be Found in Any Group. Hallgren, Russell, and Ta- 
Shma (2002) |)9| prove that the natural extension of the abelian case algorithm 
finds H G efficiently, the normal core of H . This also gives that normal subgroups 
can be found efficiently by the standard (weak or strong version of the) algorithm. 
In particular, this allows finding hidden subgroups in Hamiltonian groups (groups 
whose subgroups are all normal); the nonabclian Hamiltonian groups are of the 
form Z2 x B x Q, where Q is the 8 element quaternion group and B is an abelian 



group with exponent 29 b coprime with 2. See Rotman 111 , Exercise 4.28]. They 
show the probability of measuring a representation p is independent of the coset of 
H. 

Theorem 5.10. The probability of measuring the representation p in Algorithm 2 

I 1 I H\ G 

of section 4-4 * s ^p\g\ ^ mes ^ e number of times p appears in Ind ff lu . 



They also obtain: 

Theorem 5.11. Let H be an arbitrary subgroup of G, and let H be the largest 
subgroup of H that is normal in G. With probability at least 1 — 2 exp(— log 2 |G|/8). 
H is determined by observing 0(log|G|) independent trials of QFS. 

In fact, if pi, . . . , p m are the representations sampled by m repetitions of the 
algorithm, then H G = ker pi with high probability. 

They also show that weak QFS does not distinguish between order 1 and 2 
subgroups in S n : 

Theorem 5.12. For S n , there is a subgroup H n so that the weak QFS does not dis- 
tinguish (even information theoretically) the case that the hidden subgroup is trivial 
from the case the hidden subgroup is H n . Specifically, the distributions induced on 
representations in these two cases have exponentially small total variation distance. 

Theorem 5.13. Let H be an arbitrary subgroup of G, and let H be the largest 
subgroup of H that is normal in G. With probability at least 3/4, H G is uniquely 
determined by observing m = 0(log|G|) independent trials of Algorithm 2 of sec- 



tion (.4 when H is the hidden subgroup. When H is normal, H G = H, and this 



determines H . 

5.5.3. 'Almost Abelian" Subgroups Can be Found and Measuring Rows is Strong 
Enough. Grigni, Schulman, Vazirani, and Vazirani p3| show another class of groups 
for which the HSP has an efficient quantum solution - what they call "almost 
abelian" groups. These arc groups for which the intersection M(G) of all the 
normalizcrs of all subgroups of G is large. For n = log |G|, they require [G : M(G)] 
(called the Baer norm Q) to be of order exp ©(log 1 / 2 n), and then the HSP can 
be solved if the QFT can be performed efficiently. In particular they show that 
the subgroups of the semidirect product Z m x Z3 for m a power of 2 can be found 
efficiently. 



29 Recall the exponent a of a group G is the smallest integer a such that g a = e, the identity, 
for every clement g £ G, if such an integer exists. 
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Another useful result in their paper shows that measuring both the row and col- 
umn in the strong form of the QFT gives no more information than measuring just 
one of them (depending on how one lets the irreps act - left or right). This follows 
from the quantum mechanical requirement that the irreps are unitary matrices, and 
thus each matrix row (or column) has the same norm, which gets "absorbed." 

Most importantly, they show that even using the strong form with a random 
basis for the irreps, the strong QFS algorithm cannot distinguish between the case 
of a trivial subgroup and an order two subgroup without exponentially many oracle 
queries. 

The restriction on the size of M(G) was extended by Gavinsky |5lj to al- 
low [G : M(G)] to be of size 0(poly(n)), allowing the corresponding HSP to be 
solved efficiently if the QFT over G can be. These groups are labelled "poly-near- 
hamiltonian groups." A final algorithm in this paper shows how to solve the HSP 
efficiently on poly-near hamiltonian groups even when the QFT over the group G 
is not known to be efficient, by using QFS over a hamiltonian group, which was 
shown to be efficient by a result from above. 

5.5.4. Strong is Indeed Stronger. Moore, Rockmore, Russell, and Schulman [9^ 
show that the strong form is indeed stronger, by exhibiting semidirect products 
1i q ix Z p (the q-hedral groups, which include the affine groups A p = Z* x Z p ) , where 
q\(p — 1) and q = p/polylog(p), such that the strong form can determine hidden 
subgroups efficiently, but the weak form and "forgetful" abclian form cannot. They 
also prove a closure property for the class of groups over which the HSP can be 
solved efficiently: 

Theorem 5.14. Let H be a group for which hidden subgroups are fully recon- 
structible, and K a group of size polynomial in log \H\. Then hidden subgroups in 
any extension of K by H , i.e. any group G with K <G and G/K = H , are fully 
reconstructible. 

They also place some groups in class I. 

Theorem 5.15. Let p be a prime, q a positive integer, and G — Z 9 K Z p . Then 

(1) if q is prime and q = (p — l)/polylog(p), then subgroups of G are fully 
reconstructible (class I), 

(2) if q divides p—\, then hidden conjugates of H in G are fully reconstructible 
(class I) if H has index polylog(p), 

(3) if q divides p — 1, then hidden conjugates of H in G are measurement 
reconstructible ( class II), 

(4) if q divides p — 1, then subgroups the q-hedral groups G are measurement 
reconstructible (class II). In particular, the subgroups of the affine groups 
A p = Z*_ : k Z p are measurement reconstructible (class II). 

For another direction studying the HSP over infinite groups, see Lomonaco and 



Kauffman 1 85 . They consider a version of the HSP for finding periods of functions 
over the real numbers R, although it is not clear if these could be physically imple- 
mented due to R being an infinite set. They have a good overview of the HSP in 



Rottclcr and Beth |112| give an efficient algorithm solving the HSP on wreath 
products W n = Zj ? Z2 (like Zalka) by giving quantum circuits for the QFT and 
showing how to reconstruct the subgroup efficiently from samples. It uses 0{n) 
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queries of / and 0(poly(n)) classical post processing time, putting these groups in 
Class I. It is similar to the method of Ettinger and Hoyer. 

In [ [43| Ettinger and H0yer construct a quantum observable for the graph iso- 
morphism problem. Given two graphs of n vertices and an integer to, they define a 
quantum state on 0{mn) qubits, that when observed, outputs "yes" with certainty 
if the graphs are isomorphic and "no" with probability at least 1 — ^ if they are 
not isomorphic. It is unknown if this observable can be implemented efficiently. 

Cleve and Watrous J3j| show how to reduce the complexity and size of the QFT 
for . 

Theorem 5.16. For any m there is a quantum circuit that exactly computes the 
QFT modulo 2 m that has size 0(m(\ogm) 2 log log m) and depth 0(m). 

Theorem 5.17. For any m and e there is a quantum circuit that approximates the 
QFT modulo 2 m that has size 0(to log(m/e)) and depth 0(logm + loglog(l/e)). 

They give an upper bound. 

Theorem 5.18. Any quantum circuit consisting of one- and two- qubit gates that 
approximates the QFT with precision or smaller must have depth at least logn. 



5.5.5. Lattice Problems. Regev [107] shows that an efficient algorithm solving the 
HSP for dihedral groups would result in efficient algorithms for solving the Unique 
Shortest Vector Problem (SVP) and the subset-sum problem. First we sketch some 
definitions. A lattice is the set of all integral linear combinations of k linearly 
independent vectors in R fc . This set of k vectors is called the basis of the lattice. 
The SVP is the problem of finding the shortest nonzero vector in this lattice, given 
the basis. In the /(fc)-unique-SVP we are given the promise that the shortest 
vector is shorter by at least a factor of f(k) from all other non-parallel vectors. 
We also define the Dihedral Coset problem (DCP). The input to the DCP for 
the dihedral group Dn of order 2N is a tensor product of polynomially many (in 
N) registers, each with the state |0, cc) + \l,(x + d (mod N))) for some arbitrary 
x G {0, 1, . . . , N — 1}, and d is the same for all registers. The goal is to find d. We 
say the DCP has failure parameter a if each of the registers with probability at 
most (jog^c is in the state \b, x) for arbitrary b. We take N = k, so the dihedral 
group size is determined by the dimension of the lattice. The main theorem is then 

Theorem 5.19. If there exists a solution to the DCP with failure parameter a then 
there exists a quantum algorithm that solves the Q{k^ +2a )-unique-SVP . 

Thus an efficient Dihedral HSP algorithm would give an efficient /(fc)-uniquc- 
SVP algorithm. 

5.5.6. Distinguishable Subgroups of S n . Kempe and Shalev [f74f analyze which sub- 
groups of S n can be distinguished efficiently using QFS. H < S n is primitive if it is 
transitive, and does not preserve a non-trivial partition of the permutation domain. 
They show 

Theorem 5.20. Let H ^ A„, S„ be a subgroup of S n , with H a primitive subgroup. 
Then H is indistinguishable. 

Theorem 5.21. A subgroup H < S„ with property T (below) can be efficiently 
distinguished from the identity subgroup using either the weak or strong standard 
method with random basis only if it contains an element of constant support (i.e., 
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a permutation in which all but a constant number of points are fixed). Property T 
can be any of the following 

• H is of polynomial size, 

• H is primitive. 

They also show other properties T for which the statement is true, and conjec- 
ture it is true for all subgroups of S n . If their conjecture is true, which amounts 
to proving the following conjecture, then QFS with random basis provides no ad- 
vantage over classical search. The minimal degree of a subgroup H < S n is defined 
to be the minimal number of points moved by a non-identity element of H . The 
support of an clement is the number of points moved. Then the conjecture is 

Conjecture 5.22. Every subgroup H < S n with non-constant minimal degree has 
at most n k / 7 elements of support k. 

5.6. Black-Box Group Algorithms. 

5.6.1. Black-box Group Algorithms. Black-box groups were introduced by Babai 
and Szemeredi in 1984 |6). In the context of black-box groups, each group element 
is encoded as a length n = 0(log|G|) string, and we assume group operations 
(multiplication, inverse, identity testing) arc preformed by a group oracle (or black- 
box) in unit time. If each element is represented by a unique string this is called 
the unique encoding model, otherwise it is not unique encoding. A black-box group 
without unique encoding augmented by an oracle that can recognize any encoding 
of the identity element in unit time can compare elements for equality in unit 
time. Any efficient algorithm in the context of black-box groups remains efficient 
whenever the group oracle can be replaced by an efficient process. It is provably 
impossible to compute group orders in polynomial time in size log of the group, 
even for abelian groups. This becomes possible using quantum algorithms, as we 
will see. A black-box group G is defined by a set of m generators, each of length 
n bits, i.e., G = (<?i, <?2, ■ ■ ■ ,5m)- The quantity mn is called the input size for the 
group. Throughout this section on black-box group algorithms we reserve n to 
denote the length of the strings representing the finite group G, and all groups are 
finite. 

5.6.2. Group Definitions. To state results for black-box group algorithms we need 
more definitions. Given a group G and elements g, h G G, we define the commuta- 
tor of g and h, denoted [g, h], to be [g, h] = g~ 1 h~ 1 gh, and for any two subgroups 
H,K < G we write [if, K] to denote the subgroup of G generated by all com- 
mutators [h, k] for h G if and k G K. The derived subgroup (also known as the 
commutator subgroup) of G is G' = [G, G], and we write 



A group G is said to be solvable if G^ = {1} (the trivial group) for some value of 

TO. 

A composition series for G is a sequence of subgroups of G — G\ t> G2 ■ ■ ■ > Gt = 1 
such that Gj+i is normal in Gi, and the factor groups Gi/Gi+i arc simple. The 
factor groups Gi/Gi+i are unique up to isomorphism and ordering. Bcals and 
Babai Q define v(G) as the smallest natural number v such that every nonabclian 



G (o) 



G, 
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composition factor of G possesses a faithful permutation representation of degree 
at most v. Thus for a solvable group v(G) = 1 (solvable implies factor groups 
are cyclic, hence abclian, hence have only trivial irreducible representations). It 
is known that v(G) is polynomially bounded in the input size in many important 
cases, such as permutation groups or matrix groups over algebraic number fields. 

A presentation of G is a sequence gi, . . . ,g s of elements generating G, together 
with a set of group expressions in variables x\ , . . . , x s called relations, such that 
gi,...,g s generate G and the kernel of the homomorphism from the free group 
F(x± , . . . , x s ) — ► G given by Xi — ► gi is the smallest normal subgroup of F containing 
the relations. This gives a non-canonical yet very concrete description of G as the 
set of "strings" of the and equivalence relations on those strings. Note the 
generators in the presentation may differ from the original generators given for G. 

A nice representation of a factor group Gj/Gj+i means a homomorphism from 
Gi with kernel Gj+i to either a permutation group of degree polynomially bounded 
in the input size + v(G) or to Z p , where p is a prime dividing |G|. 

The exponent of a group is the smallest integer m such that g m = e for all jeG. 
Lagrange's theorem gives m < |G|. 

An abelian group (family) is smoothly abelian if it can be decomposed into the 
direct product of a subgroup of bounded exponents and a subgroup of polylogarith- 
mic size in the order of the group. A solvable group (family) is smoothly solvable if 
its derived series is of bounded length and has smoothly abelian factor groups. 

A constructive membership test is the following: given pairwise commuting group 
elements hi, hi, . . . , h r ,g of a group G, either express g as a product of powers of 
the hi's or report that no such expression exists. 

5.6.3. Results. Our first result the basis for many later ones, allows comput- 
ing a canonical decomposition of a finite abelian group from a generating set in 
polynomial time, i.e., 

Theorem 5.23 (Cheung, Mosca). Given a finite abelian black-box group G with 
unique encoding, the decomposition of G into a direct sum of cyclic groups of prime 
power order can be computed in time polynomial in the input size by a quantum 
computer. 



Watrous [125 shows how to construct quantum certificates proving group non- 



membership efficiently, and shows this is not possible classically. 



Watrous [126 gives a polynomial-time quantum algorithm for computing the 
order of a solvable group, which gives polynomial-time algorithms for membership 
testing of an element in a subgroup, testing subgroup equality given two descriptions 
of the subgroups, and testing subgroup normality, each for solvable groups. The 
main result is 

Theorem 5.24 (Group Order). Given a finite, solvable black-box group G, there 
exists a quantum algorithm that outputs the order of G with probability of error 
bounded by e in time polynomial in the input size + log(l/e) . The algorithm produces 
a quantum state (j> that approximates the state \G) = | C| x / 2 ^2 geG \g) with accuracy 
e in the trace norm metric. 

This result was also obtained using a different algorithm by Ivanyos et. al. |56| 
in a paper extending many of the black-box group results from Beals-Babai H to 
the quantum setting. They obtain 
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Theorem 5.25. Let G be a finite black-box group with not necessarily unique en- 
coding. Assume the following are given: 

(a) an oracle for computing the orders of elements of G, 

(b) an oracle for the constructive membership tests in elementary abelian 
subgroups of G. 

Then the following tasks can be solved by quantum algorithms of running time poly- 
nomial in the input size+v(G): 

(1) constructive membership tests in subgroups of G, 

(2) computing the order of G and a presentation for G, 

(3) finding generators for the center of G, 

(4) constructing a composition series G = Git>G2> ■ ••>£?* = 1 forG, together 
with nice representations of the composition factors Gi/G%+\, 

(5) finding Sylow subgroups ofG. 

The hypotheses (a) and (b) can be met in many cases. For example, using Shor's 
order finding method to compute element orders, they give: 

Theorem 5.26. Assume G is a black-box group with unique encoding. Then each 



task in theorem 5.25 can be solved in time polynomial in the input size + v(G) by 



a quantum algorithm. 

Theorem 5.27. Assume G is a black-box group with not necessarily unique en- 
coding, and that N is a normal subgroup given as a hidden subgroup of G (i.e., 
there is a f hiding N ). Then there are quantum algorithms each with running time 
polynomial in the input size + v(G/N) that perform: 

• all the tasks in theorem |5. 13 for G/N, 

• finding generators for N . In particular, we can find hidden normal sub- 
groups of solvable black-box groups and permutation groups in polynomial 
time in input size + v(G/N) (note we do not need an efficient QFT as in 
Hallgren et. al. 

If instead of giving N as a hidden subgroup, if N is given by generators, and N is 



solvable or of polynomial size, then all the tasks listed in theorem 5.25 can be solved 
for G/N in time polynomial in the input size + v(G). 

Theorem 5.28. Let G be a black-box group with unique encoding. The HSP can 
be solved by a quantum algorithm in time polynomial in the input size + \G'\, the 
size of the commutator subgroup of G. 



This includes the wreath products Z* I ^2 of Rotteler and Beth [112]. 
A question remains: the above proofs only use the abelian QFT to get the results. 
Does using the nonabelian QFTs give better results? 

Friedl et. al. Q] introduced the Orbit Coset problem as a generalization of the 
hidden subgr oup and hidden shift 30 problems. Hidden shift was defined above in 



section 5.3.1. As mentioned there, when G is abelian, hidden shift is equivalent to 



the HSP in the scmidirect product G xi Z2. 

Definition 5.29 {Orbit Coset and Orbit Superposition). Let G be a finite group 
acting on a finite set T of mutually orthogonal quantum states. 



""Hidden shift is called hidden translation in their paper. 
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• Given generators for G and two quantum states |</>o), \4>i) G I\ the problem 
Orbit Coset is to either reject the input if G(\(f>o)) n G(\<pi)) = 0, or 
output a generating set for Gi^s of size 0(log \G\) and a u £ G such that 
\u ■ 0i) = |0o}- 

• Given generators for G and a quantum state \(f>) £ T, the problem Or- 
bit Superposition is to construct the uniform superposition \G ■ f>) — 

VlG(|0»l £|*')eG(|*» W) 

Theorem 5.30. Let p be a fixed prime. Then 

• the problem of hidden shift over Z™ can be solved in quantum polynomial 
time, 

• the problem of Hidden Subgroup over Z™ x Z2 can be solved in quantum 
polynomial time. 

This gives that x Z2 is class I for any prime p. 

Theorem 5.31. Let G be a smoothly solvable group and let a be a group action 
ofG. When t = (log n(1) \G\) log(l/e) ) Orbit Coset can be solved in G for of in 
quantum time poly(log \G\) log(l/e) with error e. 

Using this they then show 

Theorem 5.32. Hidden shift can be solved over smoothly solvable groups in quan- 
tum polynomial time. HSP can be solved in solvable groups having smoothly solvable 
commutator subgroups quantum polynomial time. 

Fenner and Zhang also address black-box group algorithms, obtaining effi- 
cient quantum algorithms for a few classically hard problems, by reducing them to 
Orbit Coset problems. The problems they study are Group Intersection (given two 
subsets Si and S2 of a group, determine if the groups (Si) (1 (S2) ^ 0), Coset Inter- 
section (given two subsets Si and £2 of a group and a group clement g, determine 
if (Si) g n (S2) 0), and Double-Coset Membership (given two subsets Si and S2 
of a group and group elements g, h, determine if g £ (Si) h (S2)). 

They obtain 

Theorem 5.33. Group Lntersection over solvable groups can be solved efficiently 
in quantum polynomial time if one of the underlying solvable groups has a smoothly 
solvable commutator subgroup. 

Theorem 5.34. Group Lntersection over solvable groups is reducible to Orbit Su- 
perposition in quantum polynomial time. 

Theorem 5.35. Coset Lntersection and Double-Coset Membership over solvable 
groups can be solved in quantum polynomial time if one of the underlying groups is 
smoothly solvable. 

van Dam, Hallgrcn, and Ip (6^] work on a hidden shift problem They first obtain 
a superposition result (ignoring the normalization constant): 

Theorem 5.36. Let f : G — > C be a complex valued function defined on the set 
G such that f(x) has unit magnitude whenever f(x) is nonzero. Then there is an 
efficient algorithm for creating the superposition f(x)\x) with success probability 
equal to the fraction of x such that f(x) is nonzero and that uses only two queries 
to the function f. 
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The proof idea computes the state \x)\f(x)}, tests if f{x) is nonzero, moves 
the phase of |/(a;)) into \x) to high precision, and then applies the second / to undo 
the first. 

Let m be an integer, m = p^p^ 2 ■ ■ ■pV'i then by the Chinese Remainder Theo- 
rem, (Z/mZ)* = (Z/p^Z)* x (Z/p s 2 2 Z)* . . . (Z/p^Z)*. A multiplicative character \ 
on Z/mZ can be written as x( x ) = Xi( a; i)X2(^2) ■ • ■ Xk{ x k) using this isomorphism, 
where Xi( x i) is a multiplicative character on (Z/p^Z)*. We say x is completely non- 
trivial if each \i is nontrivial. With this definition, they then solve some shifted 
character problems: 

Theorem 5.37. Given a nontrivial (resp. completely nontrivial) multiplicative 
character x of a finite field ¥ q (where q = p r for some prime p) (resp. over Z/mZ), 
and a function f for which there is a shift s with f(x) = x( x + s ) f or a ^ x 6 
(resp. x G Z/fflZJ. Then there is an efficient quantum algorithm finding s with 
probability 1 - l/ g 2 (resp. {^f = n{{^^f)). 

In the case where m is unknown, this can still be done given a bound on m. 

5.7. Hidden Subgroups are Distinguishable. In this section we show that at 
least information theoretically, it is possible to find any hidden subgroup H of a 
finite group G with only ["4 log \G\ + 2] calls to the oracle function /, following [[4(| 
and done differently in J|7j . Unfortunately, deducing H from the resulting quantum 
state requires exponential classical time, and it is still open for which groups this 
can be reduced to a polynomial time quantum algorithm. The idea is to create 
a quantum state that contains enough information to deduce H using few oracle 
calls, and then use \G\ applications of various measurements to this state to query 
each element of G. The technical work is to prove the measurements do not perturb 
the state too much, which would destroy information needed for later queries. 
Precisely we prove: 

Theorem 5.38. Given a finite group G and an oracle function f : G — > X to a set 
X, such that f separates cosets of a subgroup H < G (f "hides'' H). Then there 
exists a quantum algorithm that calls the oracle function [4 log |G| + 2] times and 
outputs a subset SCG, such that S = H with probability at least 1 — 1/|G|. 

Proof. Fix a positive integer m. We work over the Hilbcrt space TL of dimension 
|G|™, with orthonormal basis indexed by m-tuples of elements of G. For any 
subset S = {s\, S2, ■ ■ ■ , Sfc} C G let \S) be the normalized superposition \S) = 
A= (|si) + . . . |sfe)). The first step is to prepare on Tt ® TC the state 

(85) Yl \9i,---,9m)\f(9i),...J(9m)) 

V I I g lt ...,g m eG 

where we define = \g%H)- Note this required m calls to the function /. 

Observing the second register leaves in the first register the state which is a 
tensor product of random left cosets of H, uniformly distributed. We ignore the 
second register for the rest of this proof. Let |^) = \a\H) g) ■ • • ® \a m H) denote 
the first register, where the a, G G. For any (ordered) subset {&i, . . . , b m } Q G and 
subgroup K < G define 



(86) 



M)) = \bxK) ® \b 2 K) ® • • • g> \b m K) 
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The key lemma, lemma 5.3S , shows for K ^ H that (^f\^f(K, {gi})} is exponentially 
small for any m of the gi. 

Let Hk be the subspace of H spanned by all vectors of the form \^(K, {gi})) 
for all subsets {gi, . . . ,g m } Q G. Let Pk be the projection operator 31 onto Hk, 
and Pk the projection onto the orthogonal complement of Hk in H. Define the 
observable Ak — Pk — Pk, an( i nx an ordering gi, g 2 , ■ ■ . , <?|g| of G. 

The algorithm then works as follows: First apply ^4( gi ) to \^), where (g) < G 
denotes the cyclic subgroup generated by g G G. If the outcome is -1, then we 
know gi £ H with certainty, and if the outcome is +1 we know g\ G H with high 



probability, by lemma 5.39. We then apply ^4( 92 ) to the state resulting from the first 
measurement. Continuing in this manner, we test all elements of G for membership 
in H by sequentially applying ^4( g2 ), ^(g 3 )i an d so on to the resulting states of the 
previous measurements. Of course if we discover g € H then we can omit the tests 
for gi G H. Note we may have to apply 0(|G|) operations to test each element, 
making the algorithm complexity exponential in log|G|. All that remains to show 
is that each measurement alters the state insignificantly with high probability, so 
that by the final operator A/\ we have identified with high probability exactly 

which elements are in H and which are not. 

We bound this probability of success. Let l^o) = 1^)- For 1 < i < \G\, define 
the unnormalized states 



(87) |*i> = 



P (9i >|*i-i) if gi£H 
P^i-i) if gi^H 



By induction and the definition of the probabilities, (^i^i) equals the probability 
that the algorithm given above answers correctly whether gj G H for all 1 < j < i. 
Now for all < i < \G\ let \Ei) = \^) — \^/i) denote the error between the original 
state and the desired state after testing (gi). 

Since |*| G |) = I*) - \E\g\), usin g (E\g\\E\g\) < by lemma |5~4(i| and the tri- 



angle inequality gives that the probability for correctly determining all the elements 
of H is bounded below by (*| G ||*| G |) > 1- |t^- 

By choosing m = [4 log \ G\ + 2] the main theorem follows directly. □ 

Lemma 5.39. Use the notation above. Let K < G. If K ^ H then (*|Pjc|*) < 
2^. If K < H then (^\P K \^) = 1. 

Proof. Let \H H K \ = d. Note that for all 31,32 G G we have \giH n g 2 K\ = d 
or \giH n g 2 K\ = 0. This implies that if \giH H g 2 K\ = d then (giH\g 2 K) = 
d/ y/\H\\K\. Therefore for any subset {61, . . . , b m } C G 

if \ci4H n biK\ = d for i = 1, 2, . . . , m 



(*\*(K,{bi})) = { \VWW\ 

otherwise 

There exist exactly (\H\/d) m vectors of the form \®(K,{bi})) with ($\V(K, {&,})) 

nonzero. Hence (tf|P*|tf) = (^J (prp^J = \W\) • li K i H thcn 
d/\K\ < 1/2 and if K < H then d = K. □ 

Lemma 5.40. For all < i < \G\ we have (E^E,) < 



31 Thu S P K = E(6 1 ,...,i m ) 6 (3« \*(KAk}))mK,{bi})\ 
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Proof. Proof by induction on i. Since \*Bq) = \^), by definition |£b) = 0. Now 
suppose {Ei\Ei) < If g i+1 g H, then = P (g . +l) - |_E,» = - 

P {g . +l) \Ei). Hence (E i+1 \E i+1 ) < (E t \E t ) < If g i+l <£ H, then = 

Pfc } (|*) - \Ei)) = |*) - P( 9i+l) l*> - P (g i+1 )\ E i)- B y lemma p9| we then have 



(E i+1 \E, 



(Ei\Ek 



< 



< 



□ 



6. Conclusion 



In conclusion, we have shown in great detail how to find hidden subgroups in 
any finite abclian group. This was shown to be efficient using a quantum computer, 
and is the basis for Shor's factoring algorithm, as well as many other exponentially 
faster quantum algorithms. The key ingredient was Fourier sampling - that is, doing 
a quantum Fourier transform on a state encoding the hidden subgroup, and then 
measuring (sampling) the resulting state to gather information used to compute 
the hidden subgroup generators. 

Also, we described the nonabelian case of the HSP, using representation theory 
to define the Fourier transform over arbitrary finite groups, and then mimicking 
the abelian case in an attempt to solve the HSP efficiently for any finite group. 
However this case is much harder, and only partial results are known, many of 
which we listed. 

The main open problem in the field is finding an efficient quantum algorithm for 
the symmetric group S n , which would yield an elusive (for over 30 years) efficient 
algorithm for determining graph isomorphism. However it seems that quantum 
Fourier sampling may not be up to the task since there are many negative results. 
Yet there is hope that a clever basis choice for the irreducible representations might 
turn this around. A second possibility, also seemingly remote, is finding a new 
quantum algorithm which does the trick, avoiding Fourier sampling completely. 

6.1. Other Quantum Algorithms. There are many other areas where quan- 
tum algorithms are better than classical ones. One of the earliest algorithms was 
Grover's searching algorithm [M , which reduces the classical complexity of search- 
ing an unordered list of N items from 0(N) to a p rova bly best quantum 0(y / A) 
oracle queries 32 . See also |2l| . This was exploited by 1 106 to make a quantum string 
matching algorithm much faster the best classical algorithms given in |80L |22|] . 

HI MM M MMM 



Other quantum algorithms are found in 



i7f |32| , |50i H |99|, jug]. Continuous 



A good point to start learning 



More quantum algorithm overviews are in 
variable algorithms are considered in (85[ [T04 
quantum error correction is |26| . 

Another interesting direction is taken by Oriis, Latorrc, and Martm-Delgado in 
|l0l[ 102 where the authors notice an invariant of efficient quantum algorithms 



labelled "majorization," which they use to seek new algorithms. 

A final direction is adiabatic quantum computation [123], another quantum com- 
putation computing model that may be physically realizable. It has recently been 
shown to be equivalent to the standard qubit model S , but provides another view- 
point for quantum computation. 



^ 2 Many authors claim 0(%/iV) is the algorithm time complexity. 
0{y~N log TV) is a more reasonable time complexity. 



A careful look shows 
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These appendices contain results used above. 



Appendix A. The Cyclic Quantum Fourier Transform over Z n 
Here we give details on the cyclic QFT over Z 2 n and over Zjy for N odd. 

A.l. The Quantum Fourier Transform over Z 2 ™. This section follows Cop- 
persmith |3j|. Since we already showed how to do the QFT over Z 2 ™ in section 
3.4.2] , we only have to cover the approximate QFT. The main result is 

Theorem A.l. Given an e > and a positive integer n, let N = 2™. Then 
there is a quantum circuit approximating the Fourier transform over Z^v using 
0(log A(loglog A + log(l/e))) 2-qubit operations. The approximated quantum state 
\4>) differs from the true Fourier transformed state \ip) by \\ \<p) — \ip) \\ < e. 

Proof. Let n be a positive integer. Let a, c be n-bit integers. The binary represen- 
tations of a and c are 



n-l 



(89) 



= ]Ta*2\ c=^ Cl 2\ 



i=0 



i=0 



UJ 2 " 



Let X, Y be arrays of size 2™ indexed by a or c. Let ui 
standard 2™ root of unity. 

The Fourier transform is defined as 

( 9 °) Y < = i E X ^ lC = i E Xa ex P (gc 

or, in binary notation, 

(91) Y c 



exp(27ri/2") be the 



1 ry ( 2n V 
— ^X a cxp — ^ 



a 7 c fc 2 J 



Whenever j + k > n, u> A 
Transform (FFT) 



1, so we drop those terms, giving the Fast Fourier 



\ 



0<j,k<n-l 
j+k<n-l 



\ 



J 



Now we approximate. Instead of the summation range having aO<j+k<n— 1 
bound, we parameterize on a positive integer m < n and bound by n — m < j + k < 
n — 1, giving the Approximate Fast Fourier Transform (AFFT m ): 

/ \ 



(AFFT m ) Y c 



exp 



2tt v 

On / ' 



ajC k 2 j 



+k 



\ 



0<j,fc<n-l 
n— m<j ' +fc<n— 1 



(92) 



The argument of "exp" in the AFFT differs from that in the FFT by 

2ni 
~2~"~ 



E a J ck 

j-\-k<n — m 
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and is bounded in magnitude by 



2%i 
2 



E 

0<j,k<n-l 
j-\-k<n—m 



< 



— y v y 2 k 

0<j <n— rn 0<k<n—m—j 



2tt 

2" 



E 

0<j< n — in 



V 2 r 



-1 



-(( 



n 



< 



9" 

— n2™-™ 

On 

27rn2^ m . 



m)2 n - 



1) 



So the matrix entries of the AFFT differ from the FFT by a multiplicative factor of 
cxp(i(5), where \S\ < 2nn2~ m . Let this error be exp(Sj.k) in the (j,k) entry. From 



arc length on a circle, we have |1 



iS\ 



<\s\. 



To compute the error between the quantum states resulting from the FFT and 
AFFT, compute for any state |^>) = ^2- aj\j) 

2 



(93) ||(FFT-AFFT m M| 



(94) 



— y 



N-l 

E 

fc=0 



< (27rn2- m ) 



N-l 



Lo^cijil - exp(<5j, fe )) 



j=o 



N-l 

2 E 

fe=0 



N-l 

E ^N a 3 
3=0 



(95) 
(96) 



= (27m2- m ) 2 ||FFT|t/;)|| 2 
= (2irn2- m ) 2 • 1 
Thus for any e > 0, taking m > log(27r) + log n + log(l/e) gives that 
(97) ||(FFT-AFFT m )^}|| <e 

Now we show how to compute the AFFT efficiently, similar to the method in 



section 



3.4.2 . Let Q( J ' K ^ be the operation that multiplies the amplitude of those 

2 n-l-K-J 



states with a 1 in positions J and K by a factor of uj 

? (a,h) 



This is similar to 

the R\ a ' bi defined for the QFT earlier. Let be the operation of applying the 



Hadamard matrix -4= 

v2 



-1 



to qubit J. Then check that the operation 



(98) JJ(°)q(°.Dq(°. 3 ) . . . Q(°.»-1)JJ(1>Q(1.2)Q(1.3) . . . Q n-2,„-l H (n-l) 

performs the QFT as earlier. To perform the AFFT we drop those Q( J ' K ^ with K > 
J + m, so it requires about nm 2-qubit operations. Taking m = 0(logn + log(l/e)) 
to bound the error as required, we obtain the complexity bound. □ 

A. 2. The Quantum Fourier Transform over Zjy, N Odd. This section gives 
an algorithm to approximate the QFT over Zn efficiently. The algorithm is from 
the Hales thesis |55] and the paper by Hallgrcn et .al |57| , but their proofs are 
incorrect. This section gives the proof from Lomont flS8| ]. The end result is a proof 
of the correctness of their algorithm, with concrete bounds suitable for quantum 
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simulation instead of the asymptotic bounds listed in their papers. The final result 



is theorem A. 17. The general idea of the algorithm is to make many copies of 
the initial state vector and perform a 2™ style QFT for a large value, and extract 
from this state period information for the original odd N . The proof requires a lot 
tedious work; it is more instructive to work through the algorithm until the general 
idea is clear. 

A.2.1. Notation and Basic Facts. We fix three integers: an odd integer N > 3, 
L > 2 a power of 2, and M > LN a power of 2. This gives (M, N) = 1, which we 
need later. 

Some notation and facts to clarify the presentation: 

• \/— 1 will be written explicitly, as i will always denote an index. 

For an integer n > 1, let ui n = e 27^v/ ~ 1 ~ / ' ,l denote a primitive n th root of 
unity. 



Fact: 



1 



< \9\ as can be seen from arc length on the unit circle. 

Thus for real values a we 



If -7T < 9 < 7T we also-" have 1 § 1 < 1 - e &v 

have |l-w&| < ItetI. etc - 
logn denotes log base 2, while Inn is the natural log. Since M and L arc 
powers of two, [log A/] = [log A/J = [log A/] = log M , and similarly for L, 
but we often leave the symbols to emphasize expressions are integral. 
For a real number x, \x\ is the smallest integer greater than or equal to 
x, [x\ is the largest integer less than or equal to x, and [_x~\ is the nearest 
integer, with ties rounding up 34 . We often use the three relations: 

1 , i 1 
x--<[x\<x + - 

x — 1 < [x\ < X 
x < \x] < x + 1 

Indices: i and s will be indices from 0,1, . . . , N — 1. j will index from 
0, 1, . . . , L — 1. k will index from 0, 1, . . . , M — 1. a and b will be arbitrary 



indices, t will index from a set C s , defined in definition A. 3 below. 
Given i € {0, 1, . . . , N — 1}, let i' = I M>(] denote the nearest integer to jj-i 
with ties broken as above. Similarly for s and s'. Note < i' < M — 1. 
For a real number x and positive real number n, let x mod n denote the 
real number y such that < y < n and y = x + mn for an integer m. 
Note that we do not think of x mod n as an equivalence class, but as a real 
number in [0, n). 

\u) and \v) are vectors in spaces defined later, and given a vector \u) denote 
its coefficients relative to the standard (orthonormal) basis {|0), |1), . . . , \n— 
1)} by u ,ui, . . . ,u n -i, etc. 
For a real number x, let 

x mod M if < (x mod M) < f- 

—x mod M otherwise 



^"^This range can be extended slightly. 

34 We could break ties arbitrarily with the same results. 
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Thus < < Properties of this function are easiest to see by noting 
it is a sawtooth function, with period M, and height M/2. 

• For an integer s set 5 S = \_j^s~\ — j^s. Then \S S \ < |. 

• The (unitary) Fourier transform over a cyclic group of order N is denoted 
F N . Thus if \u) = X^ilo 1 tncn f n\u) = ^ Z)i^=o w ^wl s )- Wc write 
| u) = Fn\u), with coefficients iij. 

• Eilo 1 M 2 = 1 implies J2i Kl < V^- 



We define sets of integers which will play an important role: 



Definition A. 2. For i = 0, 1, . . . , N — 1, let (i) denote the set of integers in the 
open interval (i' — + + Mr — |) taken mod M . Recall i' = \_j^i \ ■ 

The second definition we make precise is a division and remainder operation: 

Definition A. 3. Given M, N as above. Set a = I ^ + |J , and f3 = - |1 . 



We define the map A : {0, 1, 
as follows: for any k £ {0, 1, . 



,,M-l}-> {0,l,...,iV-l}x{-a,-a + l,. 



k' 



M - I}, let k 



M 



k' 



A 



M 



(s,t), via 



N 

s = k' mod N 
We extend this definition to a transform of basis elements \k) via 

A\k) = \s)\t + a) 



and extend to all vectors by linearity. 

Finally, from the image of A, define C s 

values oft appearing for a fixed s. Thus X^Lo* 1^) 



(s, t) G Image A} to be those 

tec a 



S^Lo 1 X)*crr. \s)\t + a 



We will show the integers {— /3, . . . , 0} C C s C {—a, . . . , a} for all s, which is 
why we defined f3 with the A definition, a and (3 remain fixed throughout the 
paper. 

For the proofs to work, we need that the sets (i) are disjoint and have the 
same cardinality. Note also that the mod M condition gives M — 1, G (0) when 
M > 3N. We now show that the sets defined here have the required properties: 

Lemma A.4. For i\ ± i 2 G {0, 1, . . . , TV - 1} , 

(99) |(ii)| = \{h)\ 

(100) (*i)f)(*2) = 

Proof. Each set is defined using an interval of constant width, centered at an integer, 
so the sets will have the same cardinality. To show disjointness, for any integer a, 
take the rightmost bound R a = [j^a\ + w — 5 of an interval and compare it to 



THE HIDDEN SUBGROUP PROBLEM - REVIEW AND OPEN PROBLEMS 



49 



the leftmost bound L a +i = [j^( a + 1)] 



M 

2N 



L a +1 — Ra — 



M , 

— (a + 1 



i of the next interval: 

M 1 M 
— a hi 

N N 



> 



M, . l\ (M l\ M 
iV (a+1) -2 )-{N a+ 2 )-N 







(101) 

(102) 
(103) 

giving that the open intervals are disjoint. Thus taking the integers in the intervals 
mod M remains disjoint (which requires ii,«2 < N — 1). □ 

Note the image of A is not a cartesian product; the values t assumes depend 
on s, otherwise we would have that M is a multiple of N. In other words, the 
cardinality of C s depends on s, with bounds given in the following lemma, where 
we show that our definition works and list some properties: 



Lemma A. 5. Using the notation from definition A. 3 



1) the map A is well defined, and a bijection with its image, 

2) a = P + l, 

3) the sets of integers satisfy {— /?,...,/?} C C s C {—a, 
{0,1,...,7V -1}. 



Proof. Given a k in {0, 1, . . . , M - 1}, let A(k) = 
a = \ Mt + \\ - To check that —a < t < a, note 



, a} for all s G 
s,t). Clearly < s < N-l. Set 



(104) 



giving 



(105) 



M 
2N 



N 



> t 



2 - ~ M 



M 
AT 



k' 



> 



M 
2N 



and t integral allows the rounding operation. Thus the definition makes sense. 

Next we check that both forms of A in the definition are bijections. Suppose 
ki &2 are both in {0, 1, . . . , M — 1}, with images A(fc r ) = (s r , t r ), r = 1,2. Let 



Assume (si,£i) 
(106) 

(107) 



1,2. Note < k' r < N 
(s 2 ,t 2 )- If k[ 



M 
iV 
M 
iV' 



k' 2 , then 



ki 



y^k 2 



ta 



M 

iV' 



a contradiction. So we are left with the case k[ ^= k' 2 . In order for si ~ s 2 we 
have (without loss of generality) k[ = 0, k' 2 = N. But then ti = ki > and 
t-2 = k 2 — M < M — 1 — M = — 1, a contradiction. Thus A in the first sense is a 
bijection. 

The second interpretation follows easily since —a < t < a gives < t + a < 2a. 
So the second register needs to have a basis with at least 2a + 1 elements, which 
causes the number of qubits needed 35 to implement the algorithm to be [log M] + 2 
instead of [log M] . 



35 This is proven in theorem 



A..17. 
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To see a = (3 + 1, bound a — (3 using the methods above, and 36 one obtains 
2 > a - /3 > 0. 

All integers between I ^(s + 1)] and [^f s] inclusive must be of the form t\ + 
L^s] for t\ G C s or of the form t 2 + [jj-(s + 1)] for t 2 G C s +i. This range contains 
l_7v"( s + l)! — l_77" ,s l + ^ — 77" integers, and at most a + 1 of these are of the form 
t 2 + |_77-(s + 1)] with t 2 G C s+ i. This leaves at least - a > ^ — § that have 
to be of the form t\ + \j^s~] with t\ G C s , implying /3 G C s . Similar arguments give 
±[3 G C s , thus ...,/?} C C7 S C {-a, . . . , a} for all s. □ 

A is efficient to implement as a quantum operation, since it is efficient classically 
(29[ Chapter 4]. Finally we note that A, being a bijection, can be extended to a 
permutation of basis vectors |fc), thus can be considered an efficiently implcmentable 
unitary operation. 

We define some vectors we will need. For i G {0,1, . . . , N — 1} define 

\A*) = F M F^\Li) 

A/-1LW-1 

\B l ) = \A % ) restricted to integers in the set (i) 

6e(i) 

LJV-l 

\T l ) = \A l ) restricted to integers outside the set (i) 

= \A*)-m 

LN-l 
6^0) a=0 

Think A* for actual values, B % for bump functions, and T % for tail functions. Note 
that the coefficients B\ and T£ are just for b in the proper ranges. 

We also define three equivalent shifted versions of \B°). Note that to make these 
definitions equivalent we require the sets (i) to have the same cardinality. Let 
l^> = E be <o) B > + = Stew K\b + = EteU) ^-<<l&>, where each b ± i' 



expression is taken mod M. The jS 1 ) have disjoint support, which follows from 



lemma A. 4, and will be important for proving theorem A. 14 



A. 2. 2. The Algorithm. The algorithm takes a unit vector (quantum state) \u) on 
[logiV] qubits 37 , does a Fourier transform Ft,, L a power of two, on another register 
containing |0) with [logM] — [log N~\ + 2 qubits, to create 38 a superposition, and 



3 ^(M, N) = 1 is used to get the strict inequalities. 
37 Recall logs are base 2. 

38 Note it may be more efficient to apply the Hadamard operator H to each qubit in |0). 
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then reindexes the basis to create L (normalized) copies of the coefficients of \u), 
resulting in \ul)- Then another power of two Fourier transform Fm is applied. The 
division A results in a vector very close to the desired output Fn\u) in the first 
register, with garbage in the second register (with some slight entanglement). The 
point of this paper is to show how close the output is to this tensor product. We 
use [log M] +2 qubits, viewed in two ways: as a single register | k), or as a [logiV]- 
qubit first register, with the remaining qubits in the second register, written |s)|t). 
We note that merely [log M~\ qubits may not be enough qubits to hold some of the 
intermediate results. The algorithm is: 

A.2.3. The Odd Cyclic QFT Algorithm. 

N-1 L-1 



(108) |«)|0) ^ $^X>|i>|j) 



i=0 j=0 



/^~~\ multiply r x -s .. . 

(109) ^ Y^^ + jN) 

(110) = \u L ) 

M-l 



ij k—0 

N-1 



,«+jjv)(t+L#«l) 



s)\t + a) 



s=o tec s 

N-1 I 77 L-1 



(H3) 4f E ^)\rh EE4 +jff)(i+w ii+ a ) 



i,s=0 tGC s j=0 

(114) = |w) 

is the vector that is L copies of the coefficients from \u), normalized. \v) is 
the algorithm output. 



Notice that Fn\u) appears in the output in line 113, but the rest is unfortunately 
dependent on s and i. However the dependence is small: if C s were the same for all 
s, if the 5 S , which are bounded in magnitude by i, were actually zero, and if the i 
dependence were dropped, then the output would leave Fjy\u) in the first register. 
The paper shows this is approximately true, and quantifies the error. 

A. 2. 4. Initial Bounds. We need many bounds to reach the final theorem, which we 
now begin proving. 

Lemma A. 6. For integers N > 2, M > 2N , and any i € {0, 1, . . . , N — 1}, 
k € {0, 1, . . . , M — 1}, with k (I (i), we have 



(115) 



> ii-1 
~ 27V 



Proof. The sets (i) are disjoint, so we do two cases. If i = 0, then k £ (0) implies 



(116) 
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from which it follows that 
(117) 



k^O 
N 



M 1 M 
~ 2N ~ 2 > 2N 



If i ^ 0, then either k is less than the integers in (i) or greater than the integers 
in (i), giving two subcases. Subcase 1: 



(118) 

implying 

(119) 



< k < 



M 
2N 



M 
7V ? 



M 1 M M 
h - < — i hi 

2N 2 ~ N 2N 



M , M M 

1 < T7« - k < < M - — 
~ N ~ N ~ N 



which gives the bound. Subcase 2 is then 



M M 

— i H 1 < 

N 2N 



M 
~N~'' 



(120) 

which implies 
(121) 

giving the bound and the proof. 

We now bound many of the \A l ) coefficients 



M 1 
2N 



< k < M - 1 



M , M M 

1< k i< M — 1 1 

2N ~ N ~ N 



□ 



Lemma A. 7. For k E {0, 1, . . . , M - 1} and i e {0, 1, . . . , N - I}, with jj - jj 
not an integer, then 



N L \M 



(122) 

Proof. We rewrite from the definition 

(123) A 
(124) 

which is a geometric series. By hypothesis, lu m n ^ 1, so we can sum as 39 



1 x - a(k-M-i) 

1^ W » 



y/LMN 



a=Q 



(125) 



1 



V LAI N 



1-u 



M 



1 - W 



(fe-#0 



The numerator is bounded above by 2, and the denominator satisfies 



(126) 
(127) 



1-u 



M 



nlk M 



> 



AI 



3!) 



Without this requirement, the sum would be LN, much different than the claimed sum. The 
hypotheses avoid the resulting divide by zero. 
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These together give 
(128) 



Al 



< 



M 



LN 7T \k- 



N 1 \m 



□ 



Note our initial requirement that (M, N) = 1 is strong enough to satisfy the 
non-integral hypothesis in lemma A. 7, except for the case i = k = 0, which we will 
avoid. 

Next we bound a sum of these terms. We fix 7 = | — jj for the rest of this 
paper. 

Lemma A. 8. Given integers N > 2 and M > 2N, with N odd. Let 7 = | — j^. 
For a fixed integer k € {0, 1, . . . , M — 1}, 



(129) 



N-l 

E 

i=0 



\k - 

P N \M 



< 





N — 1 








) 









Proof. The minimum value of the denominator is at least Mr — 1 by lemma A. 6 



and the rest are spaced out by j^, but can occur twice since the denominator is 
a sawtooth function going over one period, giving that 



JV-l 



(130) 

(131) 

(132) 
(133) 



1 



^ \k 



< 



1 



M. _ 1 + ™ a 

a=0 2N ' N 



i=0 



2N I 1 ^ 1 
M 1 7 + ^ 7 + a 



< 



2N / 1 
M" I 7 



1 



(JV-l)/2 

x + 7 



rf.c 



27V 1 1 
- + In 

M V7 



TV - 1 



20 



1 



□ 



The generality of the above lemma would be useful where physically adding more 
qubits than necessary would be costly, since the lemma lets the bound tighten as 
decreases. However the following corollary is what we will use in the final theorem. 

Corollary A. 9. Given integers N > 13 and M > 16N, with N odd. For a fixed 
value k G {0, 1, .. .,M - 1}, 



N-l 



(134) 



i=0 



n 1 \m 



< 



AN In. N 



40 



Both H and JH^ appear to overlook this fact. 



CHRIS LOMONT, CYBERNET 



Proof. Using lemma |AJ, M > 16N gives - < y- and 



(135) 

(136) 

(137) 
(138) 



In 



N - 1 



20 



16 , 

< y + ln 



8(N-1) 



7 



+ 1 



< In I - e~iV 

< 2 In TV 



where the last step required N > lj e ? ) > 11.2. The corollary follows. 



□ 



Next we prove a bound on a sum of the above terms, weighted with a real unit 
vector. This will lead to a bound on the tails \\J2i II ■ 



Lemma A. 10. Given integers N > 13 and M > 16iV, wii/i AT odd. For any unit 
vector x £ 



(139) 



M-l 

E 

fc=0 



JV-1 

E 

fc0(i) 



Mj| 



< 



22iVln^7V 32iV 3 



A/ 



A'/ 2 



Proof. We split the expression into three parts, the first of which we can bound 
using methods from |55[] and Js?!] , and t he o ther two terms we bound separately. 

Using the A operato r fro m definition , along with the values a and (3 defined 
there, and using lemma A. 5 , we can rewrite each k with k = t+ 1 j£k'~\ = i+Mfc' +S S . 
Since s differs from k' by a multiple of N, and the \x\m function has period M, 



(k' 



inequality 139 as 



+ 1 + S s \ M we can replace k' with s. Rewrite the left hand side of 



(140) 



M-l 

E 

fc=0 



N-l 

E 



\k- 






N L \M 



N-l 



EE 

s=0 teC, 



JV-1 

E i 



;= m»-i)+t+s.\„ 



Letting Ak = (s,i), note that k ^ (i) if and only if s ^ i, which can be shown from 
the definitions and the rounding rules used earlier. To simplify notation, write 
q\ = M( s _ j) -f t + S s . We have not changed the values of the denominators, so 



\<U. 



\m > jn~ ~ 1 by lemma A. 6 for all i, (s,t) in this proof. 
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We want to swap the s and t sums, but we need to remove the t dependence on 
s. Again using lemma A. 5, we can split the expression into the three terms: 

2 



(141) 



(142) 



(143) 



P N-l 

EE 

t=-f) s=0 



i=0 \%s\m 



E 



with q£C s 



N-l 

E 

i=0 
N-l 

E 

2=0 



.1 j 



E 



s with —aGC s 



N-l 

|,7- a | 



Next we bound the first term 141. For a unit vector x and fixed t we rewrite the 
s, i sum as the norm of a square matrix P t acting on x, so that the sum over s and 
i becomes 

2 



(144) 



i^ii 2 = E 



s=0 



N-l 

E 

i=0 



i=0 \%s\ M 



We also define similarly to each P t a matrix Q t which is the same except for minor 
modifications to the denominator: 

2 



(145) 



N-l 

E 



N-l 

E 

i=0 



Note this matrix is circulant , since each entry in the matrix only depends on s —i. 
Also each entry is nonnegative 42 . Thus the expression is maximized by the vector 
y = -4= (1, 1, ... , 1) as shown in each of J55[, p%, and pf|. Now we relate these 



Vn 

matrix expressions. Recall |g* Jm > 
we find lower and upper bounds 

1 



(146) 


1-A=1- 


and 




(147) 


K.- 5 >\ M 

W- 1 


Rewriting 




(148) 





2(^-1) 



M 
2 \ 



< 



1 and \S S \ < \. Set A 



N 

M-2N- 



Then 



u 


,s 


,1/ 


1 

2 




0* 





< 





s 


5 S 


M 




0* 

y 2,S 


M 



< 



\lls 


M 


+ k 




<?i,s 


M 



< 1 



2(# + l) 



= 1 + A 



N-l 

E 

s=0 



JV-1 

E 





4 


s 


5 S 


M 


\Qi,s- S s 


M 




M 



41 That is, each row after the first is the cyclic shift by one from the previous row. 
42 |< s " S s \m > \qjjM ~ \ > ~ I > sincc M > SN 
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and using the bounds gives 

(149) (1 - A) 2 j|Q t x|| 2 < ||P t x|| 2 < (1 + A) 2 \\Qtxtf 

Then since y maximizes ||Qta;|| 2 , 



(150) ||P^|| 2 < (1 + A) 2 ||Q t x|| 2 < (1 + A) 2 ||Q t y|| 2 < 



1 + A 
1 - A 



\P*v\\ 



giving that we can bound the leftmost term by (i^l) times the norm at y. 

takes on values between 1 and ||| w 1.33 for M > 167V, better than the constant 
4 in M and Et\. 



Combined with corollary A.E this allows us to bound term |141 

2 



(151) 

(152) 
(153) 
(154) 



N-l 

EE 

t=-/3 s=Q 



N-l 

y I 



E 225 v 
169 ^ 

t s=0 



N-l 1 



E 



/N 



i=0 l*MlAf 



. 225 N f4N In N 



< 



169 N V M 
M 225 /4iVlniV x 2 
iV 169 V ~M~ 



< 



22N In N 



M 



Now we bound the other two terms, 142 and |143|. We need the following fact, 



which can be shown with calculus: the expression 



sr^N-1 



subject to the con- 



dition X^q 1 x i = 1' nas maximum value v/X^Li/ ?- Then term 142 can be 
bounded using a similar technique as in the proof of lemma A. 9 . Again we take 

y= I _ K 
' 2 M ' 



^N-l 



(155) 



E 



s with a £:C S 



N-l 



la" 



M 



< 



E 



N-l 



^ I rv 



2 



(156) 

(157) 
(158) 



< N- 



2N 2 / 1 



1 ^ 1 



< 



1/2 ' 7 «=l If - 17 + a J 
2iV 3 / 1 1 1 \ 



< 



M 2 ^2 7 JV=1 + ^ 

16iV 3 



Af 2 



Term 143 is bound with the same method and result, and adding these three bounds 
gives the desired inequality 13E . □ 

We now use these lemmata to bound the tails Ui\T l ) II . 
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Lemma A. 11. Given three integers: an odd integer N > 13, L > 2 a power of 
two, and M > 16N a power of two, then 



(159) 
Proof. 

(160) 

(161) 
(162) 



JV-l 



E ^T 1 



i=0 



< 



2 / 22 In 2 N 32iV 2 



LM 



N-l 



2=0 



M-l 



= E 



fc=0 



JV-1 



E^ 



i=0 



< 



< 



E 



AM 
n 2 LN 



N-l 



N l \M 



AM ( 22iVln N 327V 2 



ir 2 LN 



M 



A/ 2 



Taking square roots gives the result. Note that the requirements of lemma A. 7 
are satisfied when obtaining line 161, since we avoid the k = i = case, and 
(M,N) = 1. □ 

Next we show that the shifted \S l ) are close to the \B 1 }, which will allow us to 
show the algorithm output is close to a tensor product. 



Lemma A. 12. 

(163) 



15" 



\B % 



< 



nLN 
A/V3 



Proof Recall = £ tg(i) mo d mI&> and \B l ) = £ 6e(i) It is important 

these are supported on the same indices! Also recall that \A % ) = FmF£^\Li) and 
that Fm is unitary. Then (dropping mod M throughout for brevity) 



(164) 

(165) 
(166) 
(167) 
(168) 



\B l 



< 



E^i&)-E4i&) 

fce(i) 6e(t) 
M-l M-l 



k=0 



k=0 



'M-l 



f m U E4lfc + 0-l^ 



fe=0 



LN-1 

E 



>LN 



zUI 



<LN 



N 



LN-1 



— E 



J M 



1 - W 



a=0 
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and this can be bounded by 



LN—1 



(169) 



— y 

LN ^ 



2na5i 



M 



LN-1 



< 



LNM 2 



Ea2< (LN) 2 



a=Q 



LNM 2 



Taking square roots gives the bound. 



□ 



In the above proof, to obtain line 165 we needed that IS" 1 ) and \B l ) have the 
same support, but \S l ) is a shifted version of \B a ), so we implicitly needed all the 
sets (i) to have the same cardinality. This is not satisfied in [j57j (although it is 
needed) but is met in |5q ]. 

For the rest of the section we need a set which is (0) without mod M applied: 
let A be those integers in the open interval (— \Mj — \\ , — ^J). Then 



Lemma A. 13. 

(170) 



teA 



Proof. By definition, = £ 6e( o) A°\b + [§ i] mod A/). A (b + = (i,b) 

(the proof uses (M,N) = 1), and A a bijection implies A\b + mod M) = 

\i) \b + a) . The rest follows 43 . □ 

Main results. Now we are ready to use the above lemmata to prove the main theo- 
rem. 

Theorem A. 14. Given three integers: an odd integer N > 13, L > 16 a power of 
two, and M > LN a power of two. Then the output \v) of the algorithm in section 
A. 2. 3 satisfies 



(171) 

Proof. Note 
(172) 



|«>-ffc|«>®X),4°l*- 



a 



teA 



2 /221n 2 N 32N 2 ttLN 
~ n\l Z + LM + MV3 



N-l 

u) := F N \u) = ^2 u i\i) 



N-l 



F M \u L ) = Y.^\A l ) 

i=0 i=0 

Using lemma A.13| and that A is unitary allows us to rewrite the left hand side 



as 



JV-l 



(173) \v)-J2^A° t \s)\t- 



s=0 

tec s 



N-l 



(174) 
(175) 



AF M \u L ) - J2 u s A\S s ) 

s=0 

N-l N-l 

|| ][> S L4 S >- yu s \S s ) 

s=0 s=0 
N-l N-l 

\\j2m\b s ) + \t s ))-J2^\ ss 



s=0 



.5=0 



43 It is tempting to use Co instead of A, but this is not correct in all cases. 
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By the triangle inequality this is bounded by 

N-l N-l N-l 

(176) II J2 Us\T s )) + II ]T u s \B°)) - J2 "'I* 7 ' 



s=0 



js=0 



which in turn by lemmata A. 11 and |A.12| is bounded by 
2 /22ln 2 iV 327V 2 nLN 



(177) 



L 



LM MV31 



The last expression has = 1, which gives the result. Note that to obtain line 

177 we needed the supports of the \B S ) disjoint, and that the \S l ) and \B l ) have 
the same support 44 . □ 



This shows that the output of the algorithm in section A. 2. 3 is close to a tensor 



product of the desired output Fn\u) and another vector (which is not in general a 
unit vector). Since a quantum state is a unit vector, we compare the output to a 
unit vector in the direction of our approximation via: 

Lemma A. 15. Let a be a unit vector in a finite dimensional vector space, and b 



any vector in that space. For any < e < 1, if 



< e then the unit vector b' 



in the direction of b satisfies 



< eV2. 



Proof. Simple geometry shows the distance is bounded by y 2(1 — \/l — e 2 ), and 

this expression divided by e has maximum value V2 on (0,1]. The e = case is 
direct. □ 

So we only need a y/2 factor to compare the algorithm output with a unit vector 
which is Fn\u) tensor another unit vector. We let \ip) denote the unit length vector 
in the direction of YlteA \t + a ) f° r the rest of this paper. 

For completeness, we repeat arguments from ]57], |(3j| to obtain the operation 
complexity and probability distribution, and we show concrete choices for M and 
L achieving a desired error bound. 

To show that measuring the first register gives measurement statistics which are 
very close to the desired distribution, we need some notation. Given two probability 
distributions V and V over {0, 1, ... , M—l}, let \V - V\ = Y.kJv \ v { k ) ~ v '{k)\ 
denote the total variation distance. Then a result 45 of Bernstein and Vazirani p8| 
states that if the distance between any two states is small, then so are the induced 46 
probability distributions: 

Lemma A. 16 ( |l8[| , Lemma 3.6). Let \a) and \(3) be two normalized states, induc- 
ing probability distributions T> a and Dg . Then for any e > 

(178) || \a) - |/3)|| < e ^ \V a - V 3 \ < 2e + e 2 

independent of what basis is used for measurement. 



44 This is not satisfied in |55| , and the overlapping portions make that proof invalid. 
45 Their statement is a bound of 4e, but their proof gives the stronger result listed above. We 
choose the stronger form to help minimize the number of qubits needed for simulations. 
46 The induced distribution from a state \<f>) is T>(k) = |(fc|0}| 2 . 
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Combining this with theorem A. 14 and lemmata A. 15 and A. 16 gives the final 
result 

Theorem A. 17. 

1) Given an odd integer N > 13, and any \[2 > e > 0. Choose L > 16 and 
M > LN both integral powers of 2 satisfying 



(179) 



7T 



' 22 hi N 327V 2 



ttLN e 

< 



L LM MV3 " V2 

T/ien i/iere is a i/mt vector such that the output \v) of the algorithm in section 
A. 2. 3 satisfies 

(180) \\v)-F N \u)®\il>)\\<e 

2) We can always find such an L and M by choosing 

(181) L 

(182) M = c 2 - 
for some constants c\ , C2 satisfying 



N 



N~ 



(183) 
(184) 



65 < ci < 2 x 65 
735 < c 2 < 2 x 735 



3) The algorithm requires [log M] + 2 qubits. By claim 2 a sufficient num- 
ber of qubits is then 12.53 + 3 log . The algorithm has operation complexity 
0(log il/(loglogM + log 1/e)). Again using claim 2 yields an operation complexity 
of 



(185) 



O I log I log log ^— + log 1/e 



4) The induced probability distributions T> v from the output andT) from -Fat|u) 
) satisfy 



(186) 



\V V 



V\ < 2e + e z 



Proof. Claim 1 follows directly from theorem A. 14 and lemma A. 15. Claim 1 and 
lemma A. 16 give claim 4. 



To get claim 2, note that for the bound to be met, we must have 



In'* N 



< e 2 , and ^jj- < e. Trying to keep M s mall as TV and e va ry le ads to the forms 
for L and M chosen. If we substitute lines 181 and 182 into |179| and simplify, we 
get 



LM 



(187) 



7T 



Tlln 2 iV 16e 3 ttV2 Ci 
cic 2 V3 c 2 



CiV^V 



< 1 
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The left hand side is largest when e = y/2 and N = 55, so it is enough to find 
constants c\ and c 2 such that 



(188) 4 /lllnj55 + 32^ + ! r^c i<1 

7T V ciV55 cic 2 V3 c 2 

Ultimately we want L and M to be powers of two, so we find a range for each of 
Ci and c 2 such that the upper bound is at least twice the lower bound, and such 



that all pairs of values (ci, c 2 ) in these ranges satisfy inequality 188. To check that 
the claimed ranges work, note that for a fixed ci, the expression increases as c 2 
decreases, so it is enough to check the bound for c 2 = 735. After replacing c 2 in 
the expression with 735, the resulting expression has first and second derivatives 
with respect to ci over the claimed range, and the second derivative is positive, 
giving that the maximum value is assumed at an endpoint. So we only need to 



check inequality 188 at two points: (ci,c 2 ) = (65,735) and (2 x 65,735), both of 
which work. Thus the bound is met for all (ci,c 2 ) in the ranges claimed. With 
these choices for M and L, note that L > 16 and M > LN c 2 > eci, which is 
met over the claimed range, so all the hypothesis for claim 1 arc satisfied. 



Finally, to prove claim 3, algorithm A. 2. 2 and the proof of lemma |A.5| give that 



we need [log AT] qubits in the first register and max{[logi] , [log(2a +1)]} qubits 
in the second register. L < < 2a + 1 gives that it is enough to have [log(2a + 1)] 
qubits in the second register. Then 2a + 1 < ™ + 2 gives 

(189) [log(2a + l)] < [1 + log M — log TV] =2 + [log M] - [log N] 

Thus [log Ml + 2 is enough qubits 47 for the algorithm. By claim 2, we can take 
M < 2 x 735^ giving flog Ml + 2 < [l2.53 + 3 log ^ 



As noted in fl55j and fpTj, the most time consuming step in algorithm A. 2. 3 



the Fm Fourier computation. Coppersmith |35| (reproduced in section A.l) shows 
how to e approximate the quantum Fourier transform for order M = 2 m with 
operation complexity of 0(logM(loglogM + logl/e)). Using this to approximate 
our approximation within error e gives the time complexities in claim 3, finishing 
the proof. □ 

Appendix B. Graph Reductions 

B.l. Basic Graph Algorithm Relations. Note that G in this section is no longer 
a group as in the rest of the paper, but a graph. 

Following Mathon |9^f , we show several graph isomorphism problems to be poly- 
nomially equivalent. If the ability to solve problem Pi allows solving problem P 2 
with polynomially many uses of Pi , we say P 2 is polynomially reducible to Pi , and 
write P 2 cc p Pi . If P 2 oc p Pi and Pi cc p P 2 then we say Pi and P 2 are polynomially 
equivalent 

Given two undirected graphs Gi(Vi, E{) and G 2 (V 2 , E 2 ) with vertex sets Vi and 
edge sets Ei, i = 1,2, we say Gi is isomorphic to G 2 , written Gi = G-2, if there 
exists a bijection p : Vi — ► U 2 such that for all x, y £ Vi, (x, y) G Pi if and only if 
(px, py) G P 2 . 

Denote the group of automorphisms of G by aut G. The automorphism partition 
V denotes the set of disjoint orbits of each vertex under aut G. 



47 An example requiring [logM] + 2 qubits is M = 1024, N = 65, so the bound is tight. 
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We consider the following six problems: 



ISO(G 1 ,G 2 ) 
IMAP(Gi,G 2 ) 
ICOUNT(Gi,G 2 ) 
ACOUNT(G) 



isomorphism recognition for G\ and G 2 , 
isomorphism map from G\ onto G 2 if it exists, 
number of isomorphisms from G\ to G 2 , 
number of automorphisms of G, 
generators of the automorphism group of G, 
automorphism partition of G. 



AGEN(G) 
APART(G) 



Surprisingly, 

Theorem B.l. The problems ISO, IMAP, ICOUNT, ACOUNT, AGEN, 

and APART are polynomially equivalent. 

Before proving this we define some notation. Suppose G{V 1 E) is a graph with 
n vertices. We define graph labels: Let G Vli ... >Vk denote a copy of G with unique 
distinct labels attached to the vertices v%, . . . , Vk € V. This can be accomplished in 
the following manner. To vertex v m , 1 < m < k, attach label "m", which is a new 
graph using 2n + m + 3 vertices as follows: 



m 

This modification has the property that vertices Vi , . . . , Vk are fixed by any p G 
aut Gy.y ... v k , and also there is a natural inclusion aut G Vlt .. Vk C aut G, obtained 
by ignoring the labels in aut G. Finally, labelling all vertices adds 0(n 2 ) new 
vertices, retaining polynomial algorithm equivalence between problems on G and 



Proof. (Following Mathon @) 

IMAP oc p ISO: Let v\, . . . ,v n be the vertices of G\. If G 2 does not have n 
vertices then there is no isomorphism. Otherwise use ISO at most n times to find 
a u\ € V 2 such that there is an isomorphism G\ Vl = G 2ui , otherwise there is no 
isomorphism. If such a u\ is found, there is an isomorphism p mapping v\ — > u\. 
Continue fixing v\, . . . , Vj, Mi, ... , Uj-% and searching for Uj £ V 2 . This constructs 
an isomorphism if it exists, calling ISO 0(n 2 ) times. 

ACOUNT cc p ISO: For a given labelling G vli ,., tVk of a graph G let aut G vli ,., tVk 
be the corresponding automorphism group, which is the subgroup of aut G that 
fixes the vertices v±, . . . ,Vk- We will show that |aut G 

vi f ...,Vk—i I — (^/c|aut G Vl ? _ _ _ jVk | , 
where dfe is the size of the orbit TTk of Vk in aut G t , 1) ... i „ A ,_ 1 . For 1 < i < dk let 
0, G aut G V1 ... Vfe _j be an automorphism which maps the z th vertex of 7Tfc onto w^. 
Then every r G aut G t , lj ... iVj! _ 1 is a product of a unique G {0i, . . . ,0d fc } an d a 

unique ^ G aut G Vli ... iVk . Since |aut G Vl „ n | = 1, |aut G| = di<i 2 . . .d„, and each 

dk can be found by solving ISO at most n — k times. Thus we compute |aut G| by 
calling ISO at most 0(n 2 ) times. 

ICOUNT oc p ISO: Let Ni be the number of isomorphisms from Gi onto G 2 . 
If Gi ^ G 2 then AT/ = is determined with one call to ISO. Otherwise we claim 
N] = |aut Gi| = |aut G 2 |, in which case we use ACOUNT on Gi and on G 2 , 



n + 1 



n + 1 




G 
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calling ISO 0(n 2 ) times as above. The claim is proved by the fact that if a : V\ — > 
V2 is an isomorphism from Gi onto G 2 and p is an automorphism of G 2 then poa is 
also a graph isomorphism. Moreover any isomorphism a' can be uniquely expressed 
as a' = p' o a where p' G |aut G 2 |. This 1 — 1 correspondence between |aut G 2 | and 
the number of isomorphisms G\ — > G2 proves the claim. 

APART cc p ISO: Two vertices u, v G V of a graph G belong to the same cell 
of the automorphism partition V of G if G u = G„ for identical labels of u and f . 
Hence at most 0(n 2 ) calls to ISO are needed to find V, trying all combinations of 
u and v. 

AGEN oc p ISO: Applying IMAP to the graphs G Vu ... yVk and G Vli ... iVk _ ltVl 
with identical labels for k + 1 < I < n we determine the sets of automorphisms 
$>k = {<^ij • • • j 4>dk) a t level k (using notation from above). From the proof of 
IMAP cc p ISO it follows that the set $1 (J • • • (J of maps generates aut G. 
Since dk < n — k + 1 implies 

n 

we see that at most 0(n 4 ) calls to ISO solve AGEN. This order can be reduced 
to 0(n 3 ) using APART to find the partition of G Vl ,...,v k and by generating only 
one 4>i for every feasible orbit in V \ {v\, . . . , Vk} at each level k. It is easily shown 
at most n generators are produced in this case. 

ISO oc p IMAP, ICOUNT: A single call to either IMAP or ICOUNT gives 
ISO. 

From now on assume G\ and G2 are each connected (otherwise we may use their 
complements) . 

ISO ot p ACOUNT: Apply ACOUNT to G u G 2 , and G 3 = G1IJG2. If 
|aut Gi| = I aut G 2 | and |aut Gi| • |aut G 2 | ^ |aut G 3 | then Gi = G 2 , else Gi ^ G 2 . 

ISO a p AGEN: Apply AGEN to G 3 = Gi U G 2 . If a(v) = u for some v G V\, 
u G V 2 , and a G aut G 3 then Gi = G 2 , else Gi ^ G 2 . From the proof of AGEN 
oCp ISO we can assume we have at most n 2 generators of aut G to check, so this 
can be checked in at most n 4 = | Vi 1 1 V2 1 |?t. 2 | operations, assuming constant time to 
check one. 

ISO oc p APART: Apply APART to G 3 = Gi U G 2 . If v,u belong to the same 
cell of the partition V of G 3 for some u G V\ , u G V2 , then Gi = G 2 , otherwise 
Gi ^ G 2 . This can be checked quickly by scanning the partition once. 

This completes the proof of the theorem. □ 

Finally, following [^l], Theorem 1.31], we can reduce this to efficient algorithms 
solving the following graph automorphism questions: 

• GA(G) - Given a graph G, decide whether its automorphism group has a 
nontrivial automorphism. 

• GA1(G) - Given that |aut G| G {1, 2}, determine |aut G| 
We note that GA(G) seems easier than ISO(Gi, G 2 ) [fl). 

As above, we are able to reduce the seemingly more complex GA to GA1: 

Theorem B.2. GA oc p GA1 

For a proof, see [^l) . 

So there are many ways to approach the graph isomorphism and graph auto- 
morphism problems, some of which at first glance seem easier than the original 
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question. For the purposes of quantum computation, and in particular reducing 



these questions to finding hidden subgroups of S n , see the next section (B.2). 

As a final note, there are far reaching proofs that show determining isomor- 
phism between any finite algebraic structures (such as rings, groups, fields, etc.) 
is polynomial-time many-to-one reducible to ISO, making a fast ISO algorithm 



extremely useful across many disciplines 95 . These arc a few of the reasons that 



an efficient ISO algorithm has seen such strong research interest. 

B. 2. Quantum HSP for Graph Isomorphism. We want to show how being 
able to find hidden subgroups H of S n allows solving ISO, which then gives effi- 
cient algorithms for all the problems in the previous section. We define our hidden 
function / : S n — > {permutations of G} by /(7r) = n(G). So / applies a permuta- 
tion 7r to the vertices of G. We need to show / separates cosets of H = aut G, and 
that / is efficiently computable. Then an algorithm giving generators of H, i.e., 
giving an algorithm for AGEN, gives the desired algorithm for ISO. 

To make this precise, suppose G is represented on a computer by a list of pairs 
(vi, Vj) of vertices where there is an edge from vertex i to vertex j. Assume this list 
is sorted and each pair is sorted. We define / at the programming level as taking a 
permutation (which can just be a list tt of n pairs i — > 7r(z)) and doing the following 
two steps: apply the permutation to the integers Vi in time 0(# edges), then sort 
the result efficiently by usual methods (Quicksort, etc.). Thus / can be computed 
efficiently, and leaves G in a state where comparisons can be done quickly (that is, 
G = 7r(G) if and only if G = f(w) using this encoding, which you should check). 

Let S n act on the n vertices of G, and let H = aut(G) < S n . To show / separates 
cosets of H, we want f(^i) = /(12) if an d only if niH = 7T2-ff, which follows from 

/(tti) = /(7T 2 ) 7Tx(G) = 7T 2 (G) & tt-VG = G 

1 7Ti G aut G 4=> TT2 1 n 1 H = H <^ mH = tt 2 H. 

This shows / can be used in the standard quantum Fourier sampling algorithm to 
find generators for H. If this can be done efficiently is an open question. 

Appendix C. Quantum Mechanics Details 

C. I. The Rules and Math of Quantum Mechanics. 

C.l.l. Enter the Qubit. First we start out with the basic block of quantum com- 
puting. Analogous to the bit in classical computing, there is a quantum bit in 
quantum computing. A classical bit is a 2 state system, with the states denoted 
and 1 . A classical bit is always in one of those states or the other, and measuring 
the state return a or 1 with certainty, n bits can be in exactly one of 2™ different 
ordered states, usually denoted 000 .. . 00, 000 .. . 01,. . . ,111 . . . II. 48 

Quantum bits (which we shall call qubits) similarly can exist in two states, which 
we call |0) and |1). However, they behave as if existing in many "in between" states. 
A quantum bit can be physically represented by any two state (or more) system, 
such as electron spin up and down, photon energy states, atomic energy levels, 
molecular vibrational freedom, and many others. For our purposes we assume 
physical representations are available (they are). 

To make the concept of a qubit precise, we define 



48 "There are only 10 kinds of people in the world. Those who understand binary and those 
who don't." 
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Definition C.l (Qubit). A qubit (or quantum-bit) is a unit vector in C . 

Definition C.2 (State vector). The state of a quantum system is a (column) 
vector in some vector space, written \ip). 

With this definition, we fix an orthonormal basis of (column) vectors, labelled 
|0) = (J) and |1) = (°). It will turn out that physically, we can only distinguish 
orthogonal quantum states, thus the orthogonal requirement. And considerations of 
probability will make the normality convenient, thus we fix an orthonormal basis. 
Any such basis of C 2 will work, but we choose the above representations since they 
are good to work with. Finally, we make a qubit a unit vector because, again, it 
makes calculations cleaner, and has some physical significance. 

Now for the differences from classical bits. A qubit can be any unit vector, not 
just those corresponding to |0) and |1). A qubit can be in the state 

(190) a|0)+/?|l) 

where a and j3 are complex numbers, with \a\ 2 + \f3\ 2 = 1. While it only takes one 
"bit" to fully describe the state of a classical bit, it takes two complex numbers 
to completely describe the state of one qubit, which intuitively is infinitely more 
information! However we will see there are practical limitations to the amount of 
"information" one can retrieve from a single qubit. 

This gives us the first of four postulates of quantum mechanics: 
Quantum Mechanics Postulate 1: State Space Associated to an isolated 
physical system is a complex vector space with inner product (a Hilbert space) 
known as the state space of the system. The system is completely described by its 
state vector, which is a unit vector in the system's state space. Thus an n-qubit 
system is a unit vector in C 2 . 

We will explain the inner product below (we can use the Euclidean one). 



C.l. 2. How to "Measure" a Qubit. In principle you could store the knowledge in 
the Library of Congress on one qubit, but you could never retrieve it. When you 



read out the value in a qubit in the state in equation 19C, it returns the state |0) 
with probability \a\ 2 , or it returns the state |1) with probability |/3| 2 , and then the 
qubit assumes the state just returned. Thus we can only get one state back out 
from the qubit, which collapses (destroys) the rest of the information in the qubit. 
For example, suppose we have a qubit in the state 

(191) |^) = -L|0> + -^|1) 

What are the odds that it returns a |1) when measured? A |0)? 
This generalizes to multiple qubits as we soon see. 

One last point is worth mentioning - there is a useful way to visualize operations 
on a single qubit, using the Bloch sphere. It will turn out that under observation, 
states ) and e \tp) have the same behavior, so we can modify a state up to the 
phase i9, where i = So given a single qubit state a|0) + /3|1), we can remove 

a phase to write 

(192) a\0) + /3|1) = ( cos ^|0) + e iv sin 



(><> 
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Since the phase out front has no effect on measurements, we can use 9 and (p for 
spherical coordinates 

(193) x = cos 9? sin 

(194) y = sin cp sin 6 

(195) z= cos9 

This allows us to picture a qubit as a point on a three dimensional sphere, and 
visualize operations upon a qubit. 

Unfortunately, this has no known generalization to multiple qubits 

C.1.3. Qubits Galore. Similar to concatenating n classical bits to get "bitstrings" , 
we concatenate qubits to get larger systems. Two qubits form a space spanned by 
four vectors 

(196) |0)®|0), 10)8 11), |1)®|0), and|l)®|l) 

where we will define the "tensor product" ® in a moment. Shorthand for the above 
expressions is 

(197) 1 00), |01), 1 10), and 1 11) 

Definition C.3. The tensor product of two vectors x = (x\, X2, ■ ■ ■ , x n ) T and 
y = (j/i , j/2) • • • j Vm) T as the vector in nm dimensional space given by 



(198) 



x ® y 





( xiyi \ 












X2y 




XlUm 




\x n y) 











Homework C.l. Check this definition does not depend on a choice of basis. 
Now we can check the second basis element (dictionary ordering) 

(199) |01) =|0)<8|1) 

(200) = Q 8 (?) 



(201) 



0© 



1 




and we get the second usual basis element of C 4 . This works in general; that is, the 
vector corresponding to the state \n) where n is a binary number, is the (n + 1) 
standard basis element. We also use the decimal shorthand sometimes: 1 32) is the 
33rd standard basis vector in some space which would be clear from context. 

Back to the inner product from postulate 1: We write it using the "braket" 
notation, where the symbol \k) is called a ket, and the dual (j| is a bra. Given a 
state (ket) \tp) = a j\j)i we define the dual (bra) as the conjugate transpose, that 
is, 



(202) 
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Together we write (j\k), which is the "braket" of states |j) and |fc). Since the 
states are orthonormal, (j\k) is 1 if and only if j = k, otherwise it is zero. We extend 
this inner product (— , — ) to general states via linearity. Thus states \ip\) = otj\j) 
and \ip 2 ) = Y,0k\k) give 

=E 3 ^(j\E k (3k\k) 

m 

So we have the equivalent notations for a 5-qubit state: 

|1) ® |0) <g> |0) ® |1> ® |0) = 110010) 

= |18> 

It is worth noting that not all composite states are simple tensor products of 
single states. One of the simplest is one of the 2 qubit Bell states, /3oo = ■ 
This is an example of an entangled state which turns out to be a very useful com- 
putational resource later. 

Homework C.2. Prove (3qq is not of the form \tf>) £g> \<p). 

When appropriate, we may drop the normalization factor to clean up calcula- 
tions. Then we could write (3qo = |00) + |11), with the understanding this needs to 
be normalized. 



C.1.4. Measuring Revisited. Now - how about measuring these states? An arbitrary 
2-qubit state is 

|V) = a 00 |00) + a O i|01) + a 10 |10) + au|ll) 

with complex valued Qy. Requiring ^2 t j = 1 is called the "normalization 

requirement" , and we assume all states are normalized. Sometimes to avoid clutter 
we will drop the coefficients. 

Suppose we only measure the first qubit of \ip). We will obtain |0) with proba- 
bility |aoo| 2 + |ctoi | 2 , that is, we obtain a state with probability equal to the sum 
of the magnitudes of all states that contribute. After measuring, we know the first 
qubit is |0), so only those type of states are left, causing the new state to be 

= «oo|00) +aoi|01) 
vVool 2 + |aoi| 2 

Notice the new normalization factor in the denominator. Again, this idea general- 
izes to arbitrary (finite) dimension. 

Thus we have a way to denote arbitrary quantum states on n qubits: 

2"-l 

(203) W)=Y / a j \j) 

where the ai are complex numbers satisfying the normalization requirement. Mea- 
suring \ip) returns state \ j) with probability |aj| 2 , and then becomes state \j) 
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C.1.5. Qubit Evolution. We would like our quantum computers to work similar to 
classical computers. Classically, a very basic operation at the bit level is the NOT 
gate, which flips bits, that is becomes 1 and 1 becomes 0. So the quantum version 

NOT 

would take the state a\0) + /3\1) > (3\0) + a\l). It is east to check the matrix 

(204) *=(; J) 

performs the desired operation, by multiplying X on the left of the state. The 
name X is historical, and we will see the exponential of X rotates qubits around 
the x-axis on the Bloch sphere. Since X acts like a NOT gate on a qubit, it is often 
called the NOT operator. 

For fun, we compute "the square root of NOT." We want an operator vNOT that 
when applied twice to a qubit, has the effect of NOT. This procedure will be useful 
when we need to construct quantum circuits and when we explain exponentials. 

In general, given a function f(t) of one complex variable, we extend this definition 
to diagonalizablc matrices M = diag(mi, m2, . . . m n ) via: 

(205) f(M) = diag(/(m 1 ), /(m 2 ), . . . , /(m„)) 

Since we want -\/X, we need to diagonalizc X . Note the eigenvectors of X are 
(J) and Setting a matrix P with these as column vectors, we have under this 

basis change the diagonal matrix 

— (! -!)(!!)(! J) 

(i-J) 

Applying f(t) = y/i, and changing the basis back gives 

-v(J -!)(-)(;-!) 

if l+i l-i\ 
2 \l-i l + i J 

Vnot 

It is an easy check to see that VNOT = X. 

This process of diagonalizing an operator, applying a function, and restoring the 
basis will be invaluable later. 

Homework C.3. What is the effect of e~' l9X l 2 on the Bloch sphere, where 9 is a 
real number? 

C.1.6. A Universal Quantum Gate? It is a basic result in computer science that 
any circuit can be built with NAND gates, which performs the following operation 
on two bits a and b: 



a\b 





1 





1 


1 


1 


1 






Any function on n bits can be built up from NAND gates. However the general 
function requires exponentially many gates, so in practice we are restricted in the 
functions we utilize. 



THE HIDDEN SUBGROUP PROBLEM - REVIEW AND OPEN PROBLEMS 



69 



So is there a similar "gate" for quantum computing? Yes, and no. It will 
take a while to answer this precisely, but there are finite (and small) sets of gates 
sufficient to approximate any desired quantum operation to any degree of accuracy 
in an efficient manner. 49 

To understand what operations we can physically apply to a qubit (or set of 
qubits), we are led to study rules from quantum mechanics. It has become clear 
that abstract models of computation and information theory should be derived 
from physical law, rather than as standalone mathematical structures, since it is 
ultimately physical law that determines computability and information. Observa- 
tion has led researchers to believe that at the quantum level, the following two facts 
hold: 

• All quantum evolution is reversible. That is very unlike the classical case, 
where for example NAND is not reversible. 50 This is illustrated by the fact 
that an electron in orbit does not emit radiation and spiral into the nucleus. 

• Quantum evolution is linear. That is, if an experiment is done on the state 
|0) and on the state |1), then when performed on mixed states the resulting 
state is the same state as if the initial two answers were added. 

So we are left with "reversible" linear operators on the states, that is, matrices! 
Since the resulting state should satisfy the normalization requirement also, it turns 
out that any unitary operation is allowed. Recall U unitary means l/W = I. We 
now have : 

Quantum Mechanics Postulate 2: State Evolution The evolution of a 
closed quantum system is described by a unitary transformation. That is, the state 
of a system at time t\ is related to the state at time £2 by a unitary operator 
U which depends only on the times t\ and £2, 

(206) |V) = UW) 

Now we know how to specify quantum states and what is legal for manipulating 
the state. 

C.1.7. Intermission - Linear Algebra Review. We will need several facts, terms, 
and theorems from linear algebra. It will be easiest to just fire them off: (we also 
combine some previous facts here for the heck of it) 

Definition C.4. Let H, A, B, U be linear operators on a vector space V . 

(1) is the conjugate transpose of H. 

(2) H is Hermitian or self-adjoint if H = . 

(3) \ip) is a column vector. 

(4) (tp\ is the dual to \ip) , defined (v\ = |i>)^. 

(5) m = 1^)10) - 10). 

(6) [A, B]=AB- BA. 

(7) {A, B} = AB + BA. 

(8) A is normal if A^ A = AA^ . 

(9) U is unitary ifU^U = I. 

49 The Solovay-Kitaev theorem says that for any gate U on a single qubit, and given any e > 0, 
it is possible to approximate U to a precision e using ©(log c (l/e)) gates from a fixed, finite set, 
where 1 < c < 2. Determining c is an open problem. 

^Charles Bennett of IBM research showed in the 1970's that energy is used in computations 
to destroy information. Lossless computation can theoretically be done with no energy usage 
whatsoever! 
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(10) A is positive if (ip\A\ip) > for all ip. 

(11) is the inner product of ip and A\cj)). 

(12) We define specific matrices (the first 4 are the Pauli matrices) 
o~a = I, 

' 1 



o~i = cr x = X = 

= CTy =Y = 

0-3 = a z = Z = 



1 

-i 

1 
1 
-1 



e s 



-1 J' \ i )' \0 

(13) For a unit vector n = (n x , n y , n z ) £ R 3 , define n.a = (1^^ + ri^Cy + n z a z . 

(14) Block Sphere Given a state a|0) +o|l) we may assume a is real by phase 
rotation. Then define for <fi € [0, 2tt] and 9 <= [0, w] 



(207) cos ^- 

(208) e^sin(^) = b 



Then the point on the Bloch Sphere is (cos </>sin(9, sin0sin#, cos 9). 

(15) Define the three rotation matrices: R x {9) = e - eXt / 2 — cos |/ — isin |jf = 
/ cos(<9/2) -isin(0/2) \ 

^ -isin(0/2) cos(0/2) J 

R - p-eri/2 _ __«, e T , ai „e v _f cos(0/2) -sin(0/2) \ 

^0) = «-•*/* = cob §1 - isin §Z = ( e_ Q /2 g X 2 ) 

(16) For a composite quantum system AB, the partial trace is an operator from 
density operators on AB to density operators on A defined for trB{\a\) {a2\® 

= {b2\bi)\oi){o2\) and extended by linearity. On matrices: let 
dim A = n, dim B = m, then it takes a mn by mn matrix, and replaces 
each m by m sub-block with its trace to give a n by n matrix. 

(17) The Bell States are the 2-qubit basis states 



(209) |/3 00 ) 

(210) |/3 i) 

(211) |/3io) 

(212) |/3u) 



100) + in) 
V2 

|Qi) + |iQ) 

V2 

loo) -in) 

|01> - |10> 
v/2 



Note: The four Pauli matrices (I, X, Y, and Z) have significance, since they 
form a basis of all linear operators on one qubit, and correspond to similarly named 
actions on the Bloch sphere. 
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We can write operators like X in an equivalent operator notation, which is often 



convenient to use in calculations. Noting that 
2x2 matrix. We can write X as: 



is a row vector, then |0)(0| is a 



X 



|0)(1| 
(o)(0 1) 



|1>(0| 
0(10) 




















s - 


■I 


, 


1 = 


! 


S 



(213) 
(214) 

(215) 



This is interpreted quickly: X sends state to 1, and vice versa. 

Example: As an example calculation, we compute (/3oo|^2®^|/3io) two different 
ways. The first way is matrix multiplication: Noting that 1 00) = (1,0, 0,0) T and 
|11) = (0,0,0,1) T , we have 



(216|#)o|/®X|/?io> 

(217) 
(218) 



( \QQ)+\n) 

V V2 



1 
1 



10 1 



1 

1 



10 
1 



|00>-|11) 
V2 





( 


1 


\ 




















) 


V 


-1 


) 







For the other method, note as operators we can write I = |0)(0| + |1)(1|, and X 
swaps basis vectors, giving X = |0)(1| + |1)(0|. Then we have 

(219) I®X= (|0)(0| + |1)(1|)®(|0)(1| + |1)(0|) 

(220) = |00)(01| + |01)(00| + |10)(11| + |11)(10| 

where we used the fact |a)(6|(g) \c)(d\ = \ac)(bd\. Apply this and use orthonormality, 



(P 00 {2M)X\p 10 ) = 



_ f (00| + (11| 
V2 



(|00)<01| + |01)(00| + |10)(11| + |11)(10|) f^r#^ 



+ 




0) 



(222) 
(223) 

where we get terms like (00|00)(01|00) = 1-0 = 0. 

Homework C.4. Write the matrices above in operator form for practice. 

Homework C.5. Compute the eigen-values and eigen-vectors for the matrices 
defined above. They will be useful. 

Homework C.6. Understand the behavior of each matrix above on the Bloch sphere 
representation of a qubit. 

C.1.8. Useful Linear Algebra Theorems. 

Theorem C.5 (Cauchy Schwartz Inequality). |(u|iy)| 2 < (v\v)(w\w) 

Theorem C.6 (Spectral Decomposition). Any normal operator M on a vector 
space V is diagonal with respect to some orthonormal basis for V . Conversely, any 
diagonalizable operator is normal. 
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Proof. Sketch: Induct on d = dim V. d = 1 is trivial. Let A be an eigenvalue of 
M, P the projector onto the A eigenspace, and Q the projector onto the orthogonal 
complement. M = PAIP + QM Q is diagonal with respect to some basis (strip off 
an eigenvalue one at a time...) □ 

Check: There is a matrix P, with unit eigenvectors as columns, so that PMP^ 
is diagonal, with entries the eigenvalues. 

Theorem C.7 (Simultaneous diagonalization). Suppose A and B are Hermitian 
operators on a vector space V. Then [A, B] = <^ there exists an orthonormal basis 
such that both A and B are diagonal with respect to that basis. 

Theorem C.8 (Polar decomposition). Let A be a linear operator on a vector space 
V . Then there exists a unitary U and positive operators J and K such that 

A = UJ = KU 

where the unique J and K are given by J = V A^A and K = v 7 AAf. Moreover, A 
invertible implies U is unique. 

Proof. J = V A^A is positive, so spectral gives J = J^. Aj|£)(i|, (A^ > 0). Let 
\cf>i) = A\i). For Xi ^ 0, let |e^) = \4>i)/Xi. Extend to orthogonal basis |e^) , and 
define unitary U = ^ l e i)(*l- This satisfies A = UJ. Multiply on left by adjoint 
At = JC/t gi v i n g j2 = SQ j = ^TJ. 

Then A = UJ = UJWU = KU with K = UJW. This K = VAA^. □ 

Theorem C.9 (Singular value decomposition). Let A be a square matrix. Then 
there exists unitary U and V , and diagonal D, such that 

A = UDV 

The diagonal elements of D are called singular values of A. 

Proof. By polar decomposition, A = SJ for S unitary and J positive. By spectral 
J = TDT\ T unitary, D diagonal with nonnegative entries. U = ST and V = T^ 
completes the proof. □ 

Theorem C.10. Every unitary 2x2 matrix can be expressed as 

fe ia 0\ /eT \ fcos'i -sin^A ( e3 \ 
(224) U e-J^o e-*J'U3 cosfHo ^) 

Note: Notice the third matrix is a usual rotation in the plane. The 2nd and 4th 
matrices are Z-axis rotation on the Bloch sphere, and the first matrix is merely a 
phase shift of the entire state. This decomposition gives some intuition of how a 
single qubit operator acts. 

Theorem C.ll (Z-Y decomposition for a single qubit). U is a unitary operation 
on a single qubit. Then there are real numbers a, /3, 5, 7 such that 

U = e m R z (f3)Ryh)Rz(S) 
Note: Similarly there are X-Y, Z-X, etc. decomposition theorems. 

Theorem C.12 (ABC corollary). Suppose U is a unitary gate on a single qubit. 
Then there are unitary operators A, B, and C, such that ABC = I , and U = 
e ia AXBXC , where a is some overall phase factor. 
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Proof. Apply theorem |C.ll| with A = R z (p)R y (~f/2), B = R y (-j /2)R z {-(5 + 



/3)/2), and C = R z ({5 - f3)/2). □ 

This weird looking theorem becomes very useful when trying to construct quan- 
tum circuits. It allows one to use a Controlled NOT gate (a circuit that flips a 
qubit based on the state of another qubit) to contract arbitrary controlled U gates. 

C.1.9. Useful Linear Algebra Facts! Here are some facts that help in computations 
and proofs when dealing with quantum computing. 

(1) Any complex n x n matrix A can be written as a sum of 4 positive Her- 
mitian matrices: A = B + iC with B, C Hermitian B = I (A* + A), and C 
accordingly. Then any Hermitian B can be written as the sum of 2 posi- 
tive Hermitian matrices B = (B + XI) — XI where — A is the most negative 
eigenvalue of B. 

(2) Every positive A is of the form BB*. 

(3) |ai)(a2| <£> |&i)(£>2| = |<Zi&i) (d2&2 1 (useful in partial trace operations). 

(4) Trace of kets: \ip) = . a,ij\ij), when converted to a density matrix p = 
\tjj)(tp\, an d then the trace is taken over the j, gives 



so it seems trB{\i>)) should be something like J2i y \ a i,j\ 2 I*}- ^ n P ar " 
ticular. tracing out some columns in 1 01 1010) removes those columns, but 
the new kets are not a simple sum of the previous ones... It may be ok to 
sum probabilities, then sqrt when collapsing, but I am not clear. 

(5) Unitary also satisfies UW = I, so U is normal and has spectral decompo- 
sition (all QC ops unitary!). 

(6) Unitary preserves inner products. 

(7) Positive =>• Hermitian normal. 

(8) A^A is positive for any linear operator A. 

(9) Tensor of unitary (resp Hermitian, positive, projector) is unitary (resp,...). 
(10) If P = ( a M is invertible, then p- 1 = 



c d J ' ad - bc \ —c a 

(11) Given eigenvectors v\ and V2 of B, with eigenvalues Ai and A2, create the 
change of basis matrix P = ( vi V2 ) • Then the diagonal matrix D is 



A o xl ' 



(12) W is a subspace of V with basis \i). Projection to W is P = J^i 
Q = I — P is the orthogonal complement. 

(13) Eigenvectors with distinct eigenvalues of a Hermitian operator are orthog- 
onal. 

f n z ± 1 

(14) ft. a has eigenvalues ±1 with corresponding eigenvectors 2 . 

V Tlx 1 iriy 

(15) U unitary U has a spectral decomposition U is diagonal in some 
orthonormal basis => U = diag(e IQl , e iQ2 , . . . , e lotrl ) => U has a unitary n th 
root V, V n = U. 

(16) tr (|^(0|) = <^>. 
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(17) For unit vectors r and s, (r.a) ■ (s.a) = f ■ si + (r x s).a. 

C.1.10. Some Basic Identities. There are lots of identities between the operators 
we have above which will be useful in reducing circuits later on. This is a good 
place to list some. 

[X, Y] = 2iZ [Y, Z\ = 2iX [Z, X] = 2iY 
{cr 4 , (Tj} = 2Sij if i,j ^ erf = I 
R z {\)R x {\)R z {\)=e-™' 2 H 

XYX = —Y =>• XR y (8)X = Ry{-6) 

HXH = Z HYH = -Y HZH = X 

HTH = phase* R x (j) 

C is CNOT, Xj is X acting on qubit j, etc. 

CX X X = X X X 2 CY X C = Y X X 2 

CZ\C = Z\ CX2C - X2 

CY2 C = Z\ Y2 C Z2 C = Z\ Z2 

R z ,x{6)C = CR zA (6) R x , 2 {e)C = CR^ 2 {9) 

For i,j — 1,2,3, aja^ = 5jkl + iY^i = i e iki°~i where ejki is the antisymmetric 
tensor on 3 indices. 51 

Homework C.7. Check these identities using the matrix form and the operator 
form to gain mastery of these calculations. 

C.l.ll. Measuring the Qubits. The final operation we need to understand about 
qubits is, how can we get information back out of them? The process is called 
measurement, and there are several equivalent ways to think about it. We will 
cover the easiest to understand, intuitively and mathematically However, to gain 
the precise control over measurements, we will have to resort later to an equivalent, 
yet more complicated, measurement framework. 

Quantum Mechanics Postulate 3: State Measurement Quantum mea- 
surements are described by a collection {M m } of measurement operators. These 
are operators acting on the state space of a system being measured. The index m 
refers to the measurement outcomes that may occur in the experiment. If the state 
of the system is \ip) immediately before the measurement, then the probability that 
result m occurs is given by 

(225) p(m) = {i>\MlM m \^) 
and the state of the system after the measurement is 

(226) M?ML 

0j(m) 

The measurement operators satisfy the completeness equation 

(227) ^MlM m = I 



51 Exercise 2.43 in Neilsen and Chuang. All of these identities appear in the book, as exercises 
or in the text. 
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Finally, note cascaded measurements are single measurements. Thus if your 
algorithm calls for a succession of measurements, this is equivalent to a single 
measurement. 

C.1.12. Combining States and Partial States. Quantum Mechanics Postulate 
4: State Combining The state space of a composite physical system is the tensor 
product of the state spaces of the component systems. Moreover, if we have systems 
numbered 1 through n, and system number j is prepared in the state then 
the joint state of the total system is |Vi) ® |Va) ® . . . |V«)- 

And that is all there is to quantum mechanics (as far as we are concerned). 
These four postulates form the basis of all that is known about quantum mechanics, 
a physical theory that has stood for over seven decades, and is used to explain 
phenomena at many scales. 

However, quantum mechanics does not mesh well with the other main intellectual 
achievement in theoretical physics in the 20th century, relativity. Combining these 
two theories into a unified framework has occupied the best minds for over 50 years, 
and currently superstring theory is the best candidate for this unification. 

Using the above postulates gives us an important theorem from Wootters and 



Zurck [127| 



C.1.13. The No Cloning Theorem. 

Theorem C.13. The No Cloning Theorem.lt is impossible to build a machine 
that can clone any given quantum state. 

This is in stark contrast to the classical case, where we copy information all the 
time. 

Proof. Suppose we have a machine with two slots: A for the quantum state |V) 
to be cloned, and B in some fixed initial state |s), and the machine makes a copy 
of the quantum state A. By the rules of quantum mechanics, the evolution U is 
unitary, so we have 

(228) |V) ® \s) 2+ |V) ® |V) 

Now suppose we have two states we wish to clone, |V) and \ip), giving 

C/(|V)®|s)) = |V> 
U(\<p)®\s))= \<p)®\<p) 
Taking the inner product of these two equations, and using U^U+ =: 

({<p\ ® (s|) rfu (|V) ® \s)) = M ® (<p\) (IV) ® IV-)) 

(¥#) = (MV>)) 2 

This has solutions if and only if (<p\tf>) is or 1, so cloning cannot be done for 
general states. 52 

□ 

This ends the quantum mechanics for quantum computing primer. 



52 Thcrc is a lot of research on what can be cloned, how much information can be cloned, etc. 
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Appendix D. Random Group Generation 



This section is derived from Igor Pak's online lecture notes 103 . The point of 
this section is to prove 

Theorem D.l. Let G be a finite group. For an integer t > 0, the probability 
that t + |~log|G|] elements chosen uniformly at random from G will generate G is 
bounded by 

(229) prob{( 5l , 52 , . . . , &+riog|G|l) = G} > 1 - - for t > 

We will need some preliminaries to prove this. The idea will be to bound the 
number of elements that should generate G by the number needed by the "hardest" 
to generate group, which can be shown to be Z£, and then estimate how many 
elements are needed to generate the latter group. First some notation: 

Definition D.2. 

Given a finite group G, and elements gi,g2, ■ ■ ■ ,gt chosen uniformly at random 
from G, denote the probability that the gi generate G by 

ip t (G) = prob{(gi,32, • • -,9t) = G}. 
First a reduction to a simpler group: 

Lemma D.3. Let \G\ < T , r > 1. Then for allt>l, ip f (G) > ^t(^), where Z r 2 
is the additive group of binary r-tuples. 

Proof. Fix t and a subgroup H C G. For a given sequence g±, g2, ■ ■ ■ , gt of G, define 
subgroups Hj of G as Hi = (.gi), H 2 = (51,52}, H 3 = (51,52,33), etc. Let H'. 
be the similarly defined subgroups of . Let t\ , T2, • • ■ , Tl be the indices j where 
Hj Hj-i, and define similarly t^t^, . . . ,t' r for the Hj. We will induct on \G\. 
When \G\ = 1, the theorem is true. Let s = r_t_i. We compute 



prob (tl -T L -i<t I H s = H) = 1 



\H\ 
\G\ 



I 

= 1 - prob (t' r - r^_j > t) 
= P r °b {t'r - r^_! < t) 

This, combined with the induction assumption prob (tx_i < t) > prob [r' R _ l < tj, 
gives 

(230) prob ( Ti < t\H s = H) > prob [t' r < t) = ^ (Z r 2 ) 

This holds for any fixed t and H, so the theorem follows. □ 

Lemma D.4. 53 

A+t(Z r 2) >l-^ t fort>0 



53 The article [103 proved a stronger form, but this is sufficient for our purposes. 
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Proof. View Z£ as the r dimensional vector space over the 2 element field Z2 . Then 
■^■-(-{(Zrj) is the probability that r + 1 randomly chosen vectors spans the entire r 
dimensional space ZJj. If we write the r + t vectors as rows of a (r + t) x r matrix, 
then this is the probability that the matrix has column rank r. This happens if 
and only if all r columns arc linearly independent. 

The first column (which has r + t entries) is nonzero with probability (l — g^^Ft)- 
The probability that the second column is linearly independent of the first is 



1- 



2*-+i-l 



and so on. Thus for t>0we get that 



> 1 



2 t+r 



2 t+r - 



2 i+l 



lAl 1 -A 1 1 1 y^ 1 

yt Z^ 9^ + It Z^ o^ob ~ at Z^ oa+i 



2* ^ 2 



4* ^ 2 Q 2 fo 

a, 6=1 
a^6 



a,fc,c— 1 



2<i+b+c 



1 

2* 



1 - 



/ 4* Z^ 2 a+b 2-* 2 a+l 

a,6=i > 1 
a^6 



1 V 



c=l 
c^a^b 



2a+b+c 



+ 



1_ l_y> ( J__ y> 1 

Ot ' /It Z^ I Oa+6 Z^ Oa+i 



4' 

1 1 

2* + I 7 



a^6 



2a+b+c 



a#6 \ \ c=l / / 



> 1 - -r 



Note that in the lines above that the ellipses denotes a finite number of terms, 
which can be paired up similarly to the two terms shown, with at most one final 
positive term which can then be dropped in the inequality. □ 



Now we prove theorem D.l 



Proof. Set r = [log IGj 
ipt+ri^) by lemma D.3 
theorem D.l 



, giving \G\ < 2 r . Then for t > we have ip t+r (G) > 
and then this is > 1 — ^ by lemma D.4, which proves 

□ 



Finally, note there are much better bounds, but this one gives the exponential 
performance we need for our purposes. 



Appendix E. GCD Probabilities 

This appendix shows the proof that the probability of the GCD of integers 
uniformly sampled from a fixed range becomes expo nent ially close to 1 in terms of 
the number of samples. The formal result is lemma E.3 . 

Unfortunately we need the next result without proof to start off the result. 
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Lemma E.l (|121|). Letip(n) be the Euler totient function . Then for any positi 
integer n, 



(231) 



where Inn is log base e. 



IT 2 



< nlnn 



Lemma E.2. Fix an integer n > 0. Choose two nonnegative integers a,b < n 
uniformly at random. Then the probability that gcd(a, b) = 1 is > 5. 

Proof. Given the uniformly randomly chosen integers a,b, the probability that 
max{a,6} = c is r^jp-- This can be seen by looking at a matrix with en- 
try (i,j), and counting elements, for i,j G {0, l,...,n}. Assuming c > 0, which 
happens with probability po = ^"n+i)^ 1 > ^ ne probability that the second integer is 
relatively prime to the largest one c is precisely ^M, s the probability p„ that 
gcd(a, b) — 1 is exactly 

(232) p„ = p ^ 



(233) = (^£(2 + -)^) 

2n 2 +4n A , , 

(234) > 7^1,(0 



c=l 

By lemma |E.1| <^( c ) > ^ — n log n -, giving 

. „ , / 2n 2 + 4n\ / 'in z - Tr^nlogn 

(235) Pn > 

Denoting the right hand side by f(n), it is easy to check / is increasing 55 for n > 4 
and that /(94) > 0.5, proving the proposition for integers n > 94. The remaining 
cases n = 1, 2, . . . , 93 can be easily (yet tediously) checked using equation 233. I 
recommend Mathematica or Maple. □ 

Lemma E.3. Suppose we have k > 2 uniformly random samples t±, t2, ■ ■ ■ , ifc from 
the integers {0, 1, . . . , d — 1} for an integer d > 2. TTien 

prob(gcd(ii ) ta,... ) tfc) = l)>l - ( 2 

Proof. Consider the samples taken as pairs. Certainly if any pair tij— 1 and £2.3 
are relatively prime, then gcd(ti, ti, ■ ■ ■ , tfc) = 1. By lemma E.2 the probabil- 
ity that gcd(i2j_i, t2j) > 1 is < i, so the probability that every such pair, j = 

I,2,...,[fc/2J, has gcd > 1 is < (±) [k/2i < {^f 2 ■ Thus the probability that 

gcd(i 1 ,i 2 ,...,t,) = lis>l-(i) fc/2 . □ 



54 For a positive integer n, ip(n) returns the number of positive integers less than n and relatively 
prime to n. 

55 lim„_ 00 /(n) = 6/-7T 2 , agreeing with Dirichlet's 1849 theorem to that effect. 
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Finally we note that the above estimates and probabilities are very conservative, 
yet yield the essential fact that the probability of success increases exponentially 
with the number of trials. 
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